Popular anime streaming platform Crunchyroll is investigating a breach after hackers claimed to have stolen personal information for approximately 6.8 million people.

"We are aware of recent claims and are currently working closely with leading cyber security experts to investigate the matter," Crunchyroll told BleepingComputer.

This statement comes after a threat actor contacted BleepingComputer last Thursday and claimed they breached Crunchyroll on March 12th at 9 PM EST, after gaining access to the Okta SSO account of a support agent working for Crunchyroll.

This support agent is allegedly an employee of the Telus International business process outsourcing (BPO) company, who has access to Crunchyroll support tickets. The threat actors claimed to have used malware to infect the agent's computer and gain access to their credentials.

From screenshots shared with BleepingComputer, these credentials gave access to various Crunchyroll applications, including Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jiro Service Management, and Slack.

Using this access, the attackers say they downloaded 8 million support ticket records from Crunchyroll's Zendesk instance. Of these records, there are allegedly 6.8 million unique email addresses.

Samples of the support tickets seen by BleepingComputer and then deleted contain a wide variety of information, including the Crunchyroll user's name, login name, email address, IP address, general geographic location, and the contents of the support tickets.

While other reports on the incident claim that credit card information was exposed, BleepingComputer has confirmed that credit card details were exposed only when the customer shared them in the support ticket.

For the most part, this included only basic information, such as the last four digits or expiration dates, and only a few contained full card numbers, according to the threat actor.

The support tickets seen by BleepingComputer all reference Telus, supporting the threat actor's claim that they compromised a BPO employee.

The attacker says their access was revoked after 24 hours, letting them steal data up to mid-2025.

The hacker claims to have sent extortion emails to Crunchyroll, demanding $5 million in exchange for not publicly leaking the data, but did not receive a response from the company.

While this attack targeted a Telus employee, BleepingComputer was told it was not related to the massive breach at Telus Digital by the ShinyHunters extortion gang.

BPOs are a high-value target

Business process outsourcing companies have become high-value targets for threat actors over the past few years, as they often handle customer support, billing, and internal authentication systems for multiple companies.

As a result, threat actors can compromise a single BPO employee and gain access to large amounts of customer and corporate data across multiple companies.

In the past year, threat actors have exploited BPOs by bribing insiders with legitimate access, social engineering support staff into granting unauthorized access, and compromising BPO employee accounts to reach internal systems.

In one of the most prominent cases, attackers posed as an employee and convinced a Cognizant help desk support agent to grant them access to a Clorox employee account, allowing them to breach the company's network.

Major retailers also confirmed that social engineering attacks against support personnel enabled ransomware and data theft attacks.

Marks & Spencer confirmed that attackers used social engineering to breach its networks, while Co-op disclosed data theft following a ransomware attack that similarly abused support staff's access.

In response to the attacks on M&S and Co-op retail companies, the U.K. government issued guidance on social engineering attacks against help desks and BPOs.

In some cases, hackers target the BPO employee accounts themselves to gain access to the customer data they manage.

In October, Discord disclosed a data breach that allegedly exposed data from 5.5 million unique users after its Zendesk support system instance was compromised.