A Hacker Infected One Call Center Agent's Laptop—6.8 Million Crunchyroll Users' Emails Spilled in 24 Hours

How the Attack Worked

On March 12, 2026, a threat actor compromised the device of a customer support agent employed by Telus International, a business process outsourcing company that handles support tickets for Crunchyroll. The attacker used malware to capture the agent's Okta single sign on credentials, then pivoted into Crunchyroll's internal systems.

From that single compromised account, the hacker gained access to Crunchyroll's Slack workspace, Zendesk ticketing platform, and Google Workspace environment. The attacker then began downloading support ticket records in bulk, exfiltrating roughly 100 gigabytes of data before Crunchyroll's security team detected the intrusion and revoked access within 24 hours.

Speed did not matter. By the time the door was shut, the data was already gone.

What Was Stolen

The hacker accessed approximately 8 million customer support tickets containing data on 6.8 million unique users. The stolen records include:

• Email addresses for 6.8 million accounts
• Full names and usernames
• IP addresses and approximate locations
• Partial credit card details including last four digits and expiration dates
• Complete support ticket conversations including every message a customer ever sent to Crunchyroll's help desk

The support conversations are the most dangerous element. They contain the exact words customers used to describe billing problems, account issues, and personal complaints. An attacker who references a specific support interaction you actually had is far more convincing than one sending a generic phishing template.

The $5 Million Demand

The hacker contacted BleepingComputer and the International Cyber Digest on March 21, nine days after the breach, claiming responsibility and demanding $5 million from Crunchyroll to prevent the data from being released. Crunchyroll did not respond to the demand. The data was subsequently leaked online over that weekend.

On March 24, Crunchyroll publicly confirmed the incident, stating: "We believe that the information is primarily limited to customer service ticket data following an incident with a third party vendor. We have not identified evidence of ongoing access." A class action lawsuit has already been filed.

The Outsourcing Blind Spot

This breach did not happen because Crunchyroll's own security failed. It happened because a contractor's employee at a business process outsourcing firm had access to Crunchyroll's most sensitive customer systems through a single sign on portal, and that employee's device was not adequately protected.

BPO companies are an increasingly common attack surface. They handle customer data for dozens of clients simultaneously, often with lower security budgets than the brands they represent. When a BPO agent has Okta access to your Slack, your Zendesk, and your Google Workspace, a single compromised credential chain unlocks everything. The brand is Crunchyroll. The security perimeter was Telus International.

This pattern is not new. The Vercel breach in April 2026 also originated through a compromised third party vendor. Attackers are learning that the fastest way into a well defended company is through the companies it depends on.

Why 6.8 Million Stolen Emails Should Worry You

When millions of email addresses leak alongside detailed personal context, the first thing attackers do is verify which addresses are still active. One common method is sending emails embedded with invisible tracking pixels, tiny images that silently report back when you open the message. If the pixel fires, the attacker knows your address is live and your inbox is being read.

Combine a confirmed active email address with the exact words from your Crunchyroll support ticket, and you get phishing emails that are almost indistinguishable from legitimate communications. "We noticed your billing issue from February has not been resolved" is far more convincing when it references a real conversation you actually had.

What to Do Now

If you have ever contacted Crunchyroll's customer support, assume your email address and support history are compromised. Take these steps:

• Check Have I Been Pwned to see if your email appears in the Crunchyroll dataset.
• Change your Crunchyroll password and any other account where you used the same email and password combination.
• Watch for emails that reference your past support tickets. Crunchyroll will never ask you to click a link to "verify your account" or "confirm your identity" in response to the breach.
• Enable two factor authentication on your Crunchyroll account and on the email account associated with it.
• Monitor your credit card statements if you provided payment information in a support interaction. The partial card details in this breach could be combined with information from other leaks to attempt fraud.

One Laptop, 6.8 Million People

The Crunchyroll breach is a case study in how modern data theft works. The attacker did not need a zero day exploit or a sophisticated nation state toolkit. They needed malware on one laptop belonging to one outsourced support agent at one BPO company. That was enough to reach 100 gigabytes of customer data in under 24 hours.

For the 6.8 million people whose emails, support conversations, and partial credit card details are now circulating online, the damage is already done. The data is out. The phishing campaigns are coming. The best defense now is knowing what was stolen and being ready for how it will be used.