my photo

John Z Black

Brunswick, ME • (207) 245-1010 • contact@johnzblack.com

Crunchyroll Got Breached. Their Systems Were Never Touched.

John Z Black Mar 29, 2026 Incidents & Breaches #crunchyroll #data-breach #okta #third-party-risk #supply-chain #zendesk #consumer #identity-chain

Here’s the thing about the Crunchyroll breach: Crunchyroll’s own systems were never touched. Not their servers, not their databases, not their infrastructure. And 6.8 million users still had their data taken.

Here’s how. Telus, a telecom company Crunchyroll uses for customer support outsourcing, had an employee with a compromised device. Malware. The attacker used that foothold to get into the employee’s Okta account (the single sign-on system providing access to a bundle of business tools), and from there, one of those tools was Crunchyroll’s Zendesk instance. The customer service ticketing platform where millions of support requests live. The attacker downloaded roughly 8 million support ticket records containing approximately 6.8 million unique email addresses, account identifiers, subscriber information, and payment dispute history.

Three hops. One infected laptop at a vendor. And 6.8 million users affected who never interacted with Telus, probably never heard of them, and certainly never agreed to have their information sitting on a device that would eventually get compromised.

Crunchyroll is calling it “limited to customer service ticket data.” The attacker is claiming 100GB. Those two things don’t easily coexist. Both are probably partially true in ways that don’t quite add up, and users are left guessing in the middle.

Support ticket data sounds mundane. It’s not. An attacker holding your email address, account ID, and the specific details of a support request you filed has everything they need for a convincing targeted phishing campaign. Not a generic “your account has been compromised” blast. Something specific. “We noticed your support request from March 12 regarding your subscription hasn’t been resolved…” That kind of specificity gets people to click.

If you’ve ever contacted Crunchyroll support, change your password, enable two-factor authentication, and be skeptical of any email referencing your account with specific details. The phishing window after a breach like this is real.

Get the full picture of the Crunchyroll breach chain and what it means for third-party risk