Hackers Claim Theft of 6.8 M Crunchyroll User Records via Compromised BPO Agent Credentials
What Happened – Threat actors say they breached Crunchyroll on 12 Mar 2026 by compromising the Okta SSO account of a support agent employed by Telus International, a third‑party BPO. Using malware‑derived credentials they accessed Zendesk, Google Workspace, Slack and other internal tools, exfiltrating roughly 8 M support‑ticket records (≈6.8 M unique email addresses) that contain names, IPs, locations and, in a few cases, partial credit‑card data. The attackers demanded a $5 M ransom but Crunchyroll has not responded.
Why It Matters for TPRM
- Highlights the risk of credential theft from outsourced staff and the downstream impact on customer data.
- Shows how a single compromised SSO account can cascade across multiple SaaS services.
- Demonstrates the need for continuous monitoring of third‑party access and rapid revocation capabilities.
Who Is Affected – Media & entertainment streaming platforms; BPO/outsourced support providers; any organization exposing customer‑service data via SaaS ticketing systems.
Recommended Actions
- Conduct an immediate audit of all third‑party SSO integrations and enforce MFA for every privileged account.
- Review and limit the scope of access granted to BPO personnel (principle of least privilege).
- Verify that all compromised credentials have been revoked and monitor for anomalous activity across linked SaaS tools.
- Assess the exposed support‑ticket data for PII and notify affected users per regulatory requirements.
Technical Notes – Attack vector: stolen Okta credentials via malware on a BPO agent’s workstation; lateral movement through Zendesk, Google Workspace, Slack, Mixpanel, etc. No public evidence of a vulnerability in Crunchyroll’s own code. Data exfiltrated includes email, name, IP, geographic info, ticket content; limited credit‑card details appear only where users voluntarily shared them. Source: BleepingComputer