Full Report
Popular anime streaming platform Crunchyroll is investigating a breach after hackers claimed to have stolen personal information for approximately 6.8 million people. [...]
Analysis Summary
# Incident Report: Compromise of Crunchyroll Zendesk via BPO Support Agent
## Executive Summary
Crunchyroll is investigating a significant data breach following claims by a threat actor that they exfiltrated approximately 6.8 million unique user records. The breach originated from the compromise of a third-party support agent at Telus International (a Business Process Outsourcing provider) via malware. The attackers successfully accessed internal support systems, including Zendesk, and are currently attempting to extort Crunchyroll for $5 million.
## Incident Details
- **Discovery Date:** March 19, 2026 (When threat actor contacted BleepingComputer)
- **Incident Date:** March 12, 2025, 9:00 PM EST
- **Affected Organization:** Crunchyroll (via Telus International BPO)
- **Sector:** Entertainment / Media Streaming
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 12, 2025
- **Vector:** Infostealer Malware
- **Details:** Attackers infected a personal or work computer of a Telus International support agent, capturing credentials for the agent's Okta SSO account.
### Lateral Movement
- Using the compromised Okta credentials, the attackers bypassed or leveraged session tokens to access several integrated Crunchyroll applications, including Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace, Slack, and Jira Service Management.
### Data Exfiltration/Impact
- The attackers downloaded 8 million support tickets from the Zendesk instance.
- Approximately 6.8 million unique email addresses were identified in the haul.
- Data captured includes names, usernames, IP addresses, geographic locations, and ticket conversation history.
### Detection & Response
- **Detection:** The breach was identified internally after 24 hours of unauthorized access, leading to credential revocation.
- **Response:** Crunchyroll engaged external cybersecurity experts to investigate the scope. The company has not engaged with the $5 million extortion demand.
## Attack Methodology
- **Initial Access:** Malware (Infostealer) used on a BPO employee device.
- **Persistence:** Real-time access maintained for 24 hours via compromised Okta SSO.
- **Privilege Escalation:** Not explicitly required; the support agent's existing permissions allowed broad access to support tools.
- **Defense Evasion:** Use of legitimate credentials (SSO) to blend in with authorized traffic.
- **Credential Access:** Theft of Okta SSO credentials via malware.
- **Discovery:** Enumeration of connected applications within the Okta dashboard.
- **Lateral Movement:** Web-based lateral movement across SaaS platforms (Zendesk, Slack, Jira).
- **Collection:** Bulk downloading of records from Zendesk.
- **Exfiltration:** Direct download of support ticket databases.
- **Impact:** Data theft and attempted financial extortion of $5M.
## Impact Assessment
- **Financial:** Potential $5 million extortion demand; costs associated with forensics and legal notifications.
- **Data Breach:** Exposure of 6.8 million unique emails and associated PII (Name, IP, Location).
- **Operational:** Disruption to support services; potential need to rotate keys and audit all SaaS logs.
- **Reputational:** High public impact due to the scale of the user base and the nature of the data (support conversations).
## Indicators of Compromise
- **Targeted Assets:** `crunchyroll.zendesk[.]com`, `crunchyroll.slack[.]com`, `okta[.]com`
- **Behavioral:** High-volume data export from Zendesk; login from a support agent account via an unrecognized IP or suspicious geolocation.
## Response Actions
- **Containment:** Access to the compromised Okta account was revoked within 24 hours.
- **Eradication:** Investigation into the specific malware used on the BPO agent's machine.
- **Recovery:** Ongoing investigation with third-party security experts to validate the extent of the data loss.
## Lessons Learned
- **BPO Risks:** Third-party Business Process Outsourcing (BPO) firms represent a high-value "choke point" for attackers.
- **Session Security:** Relying solely on SSO is risky if the endpoint is compromised; session timeouts and device trust verification are critical.
- **PII in Tickets:** Users often include sensitive data (like card info) in plaintext support tickets despite official policies.
## Recommendations
- **Endpoint Hardening:** Ensure BPO partners utilize managed, hardened devices with strictly enforced EDR (Endpoint Detection and Response).
- **Conditional Access:** Implement stricter Okta policies, such as IP whitelisting for support agents or hardware-based MFA (e.g., FIDO2/YubiKeys) to mitigate infostealer risks.
- **Data Masking:** Implement automated PII/PCI masking within Zendesk to redact credit card numbers or sensitive info automatically from ticket descriptions.
- **Least Privilege:** Limit the number of historical records a single support agent account can export or view in a short timeframe.