Earlier this week, reports suggesting that threat actors had stolen the data of around 6.8 million Crunchyroll users surfaced, almost half of the company's 15 million strong worldwide user base.
Following those reports, which originated when the hacker reportedly contacted publication BleepingComputer with the claims of the cyber attack last week, CrunchyRoll said it had launched an investigation into the alleged incident.
"We are aware of recent claims and are currently working closely with leading cyber security experts to investigate the matter," CrunchyRoll told BleepingComputer.
"Our investigation is ongoing, and we continue to work with leading cybersecurity experts. At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor," it later wrote in a statement to media.
"We have not identified evidence of ongoing access to systems in relation to these claims. We are continuing to monitor the situation closely."
According to the threat actors, Crunchyroll suffered the data incident after they breached the Okta SSO account of a Crunchyroll support agent.
The staffer was reportedly an employee of Telus International, a business process outsourcing firm that has access to Crunchyroll support tickets. According to the hacker, they deployed malware that infected the staffer’s device and took their credentials, leading to the access.
In screenshots reportedly sent to BleepingComputer, the credentials granted access to a number of applications, including Google Workspace Mail, Jiro Service Management, Slack, Mixpanel, MaestroQA, Wizer and Zendesk.
According to the publication, the Zendesk access was used to download 8 million support tickets, which allegedly contained 6.8 million unique email addresses.
Samples also reportedly contained user names, login names, email addresses, general geographic locations, IP addresses and support ticket contents.
BleepingComputer says that some reports claim credit card information was exposed, but said the only financial data exposed was that shared in support tickets, and this only contained basic data such as expiration dates and the last 4 digits of a card number. Only a handful contained full card numbers.
All the support tickets reference Telus, which back the threat actors claims. The hackers said they had access revoked after 24 hours, meaning data stolen is relevant up to mid-2025.
The threat actor also said it had sent extortion emails to Crunchyroll demanding US$5 million in exchange for the data not to be leaked. The company has reportedly not responded.
BleepingComputer says it was told that the hack was separate to a recent alleged breach of Telus Digital, which was claimed by ShinyHunters.
It is currently not publicly known which threat actor launched the recent Crunchyroll attack.
