Crunchyroll 6.8M Users Exposed After Infostealer Malware Compromises TELUS Support Agent's Okta Credentials

• .What: Infostealer malware on a TELUS Digital BPO agent's workstation in India captured Okta SSO credentials, enabling exfiltration of 8 million Zendesk support tickets (6.8 million unique email addresses) over a 24-hour access window.
• .Who: Crunchyroll LLC, a wholly owned subsidiary of Sony Group Corporation (FY2025 revenue ~$85.5 billion / JPY 12.3 trillion). 17 million paid subscribers, 120 million registered users, available in 200+ countries.
• .How: Phishing email with malicious attachment delivered infostealer malware to TELUS Digital support agent workstation in India. Malware harvested Okta SSO credentials. Federated authentication provided access to seven internal Crunchyroll systems.
• .Data: Customer names, email addresses (6.8 million unique), IP addresses, geographic location data, full support ticket contents (dating back to mid-2025), partial credit card data (last four digits, expiration dates; limited full card numbers shared in tickets).
• .Volume: 100 gigabytes total. 8 million support ticket records.
• .Actor: Unattributed individual threat actor. BleepingComputer confirmed this is a separate incident from the ShinyHunters TELUS Digital breach (1PB, $65M ransom) disclosed the same day. A secondary actor "hubert" is selling a subset on dark web forums.
• .Impact: $5M ransom demanded (not paid, no response); class action filed (Enfield v. Crunchyroll LLC, N.D. Cal.); no direct user notification as of March 31; data subset listed for sale at $2,000.

The breach originated not from Crunchyroll's own infrastructure, but from the workstation of a customer support agent employed by TELUS Digital - the Canadian BPO giant (US$2.658 billion revenue, ~79,000 employees) that handles Crunchyroll's outsourced customer support operations from India.

On March 12, 2026, the TELUS agent received a phishing email crafted to impersonate an internal communication. The email contained a malicious attachment. The agent executed the attachment, which deployed infostealer malware on their local workstation.

The malware operated silently, harvesting credentials stored on and passing through the compromised machine - including the agent's Okta single sign-on credentials for Crunchyroll's systems.

Okta SSO provided federated authentication across Crunchyroll's operational stack.

A single set of compromised credentials unlocked access to seven internal systems: Zendesk (customer support ticketing), Slack (internal team communications), Google Workspace Mail (corporate email), Mixpanel (customer analytics and behavioral data), MaestroQA (agent quality assurance and performance scoring), Wizer (security awareness training platform), and Jira Service Management (IT service desk).

The breadth of access from a single BPO agent credential reflects an overprivileged access model - a support agent in India should not require access to corporate analytics, security training platforms, and IT service management systems.

The attacker moved directly to Crunchyroll's Zendesk instance and began bulk-downloading support ticket records. Over the following hours, they exfiltrated approximately 8 million support tickets containing 6.8 million unique email addresses, totaling 100 gigabytes.

The stolen data spans customer names, login usernames, email addresses, IP addresses, approximate geographic locations, and the full text contents of every support interaction dating back to mid-2025. Because customers routinely share sensitive information in support tickets - including credit card numbers to resolve billing disputes - some tickets contained partial or full payment card data.

BleepingComputer reviewed samples and confirmed most credit card references contained only last four digits or expiration dates, but a small number included full card numbers.

Crunchyroll detected the unauthorized access and revoked the compromised credentials within 24 hours. By that point, the exfiltration was complete.

The attacker subsequently contacted BleepingComputer and International Cyber Digest, sharing samples of the stolen data as proof. The attacker sent extortion emails to Crunchyroll demanding $5 million in exchange for not publicly releasing the data. Crunchyroll did not respond.

" Later that day, at 8:03 p.m. EST, Crunchyroll provided an updated statement: "Our investigation is ongoing, and we continue to work with leading cybersecurity experts.

At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor. We have not identified evidence of ongoing access to systems in relation to these claims.

Separately, a threat actor operating under the alias "hubert" listed a subset of the stolen Crunchyroll data for sale on dark web forums: 2 million support tickets and 1,394,207 unique email addresses, priced at $2,000. The relationship between the original attacker and "hubert" has not been established - the subset may represent a resale, a separate extraction, or the same actor operating under a different alias.

This breach occurred on the same day - March 12, 2026 - that TELUS Digital confirmed a separate, far larger breach by ShinyHunters involving approximately 1 petabyte of data and a $65 million ransom demand.

BleepingComputer was told the two incidents are separate: the Crunchyroll breach originated from malware on a single TELUS agent's workstation, while the ShinyHunters breach exploited GCP credentials discovered in the 2025 Salesloft Drift supply chain compromise.

Two simultaneous but independent breaches through the same BPO provider - on the same day - point to systemic endpoint security and identity management failures at TELUS Digital.

The threat actor who breached Crunchyroll has not been publicly identified by any threat intelligence firm. BleepingComputer reported it was told this incident is not connected to the ShinyHunters extortion group responsible for the separate TELUS Digital breach.

However, multiple factors complicate this assessment: the attack exploited a TELUS agent workstation during ShinyHunters' concurrent TELUS breach, the infostealer-via-phishing TTP is consistent with ShinyHunters' earlier Snowflake campaign (UNC5537), and ShinyCorp documentation indicates non-Scattered Spider SLSH operators may use different initial access methods than vishing.

Conversely, Crunchyroll does not appear on ShinyHunters' Tor leak site (while all other March 2026 ShinyHunters victims do), the "hubert" alias selling data on BreachForums is not a known ShinyHunters handle, and the communication style - a single ransom email with no escalation - diverges significantly from ShinyHunters' characteristically aggressive multi-channel harassment.

ZERO|TOLERANCE assesses the attacker as most likely a peripheral operator within the broader SLSH (Scattered Lapsus$ Hunters) ecosystem rather than core ShinyHunters operators.

The attacker demonstrated operational discipline: targeted phishing of a specific BPO agent, efficient exfiltration focused on the highest-value data store (Zendesk), and a structured extortion approach involving media contact and a specific $5 million demand.

The attack pattern - BPO agent compromise via infostealer, Okta credential theft, Zendesk data exfiltration - is consistent with financially motivated actors who target the supply chain's weakest link rather than the primary target directly.

A secondary actor, "hubert," is selling a subset of the data (2 million tickets, 1.39 million emails) for $2,000 on dark web forums.

Whether "hubert" is the original attacker operating under a pseudonym, a buyer reselling acquired data, or an independent actor who obtained a portion through other means is unknown.

Despite the lack of direct attribution to ShinyHunters, this breach exists within the broader context of ShinyHunters' systematic campaign against TELUS Digital and its clients.

ShinyHunters' March 2026 operations targeted TELUS Digital (1PB), the European Commission (350GB), Figure Technology (967K accounts), Ameriprise Financial (200GB), Infinite Campus (K-12 data), and numerous other organizations.

The Crunchyroll breach - whether by a ShinyHunters affiliate, an opportunistic actor exploiting known TELUS vulnerabilities, or an entirely unrelated threat actor - demonstrates that TELUS Digital's security posture made its client ecosystem a target-rich environment.

Customer Personal Data (6.8 million unique individuals):

• .Full names and Crunchyroll usernames
• .Email addresses (6.8 million unique)
• .IP addresses at time of support ticket submission
• .Approximate geographic location data derived from IP addresses
• .Full text contents of customer support tickets dating back to mid-2025

Payment Card Data (limited scope):

• .Last four digits of credit card numbers (shared by customers in support tickets)
• .Credit card expiration dates
• .A small number of full credit card numbers where customers pasted complete card details into support tickets
• .Credit card data was not systematically stored - it appeared only when customers voluntarily included it in support communications

Internal Platform Data:

• .Slack internal communications (scope unknown)
• .Google Workspace Mail contents (scope unknown)
• .Mixpanel customer analytics and behavioral data
• .MaestroQA agent quality assurance records
• .Jira Service Management IT service desk tickets
• .Wizer security training platform data

The support ticket data is the primary exposure.

Support tickets are uniquely dangerous because they contain unstructured customer communications - customers share passwords, account credentials, billing details, personal circumstances, and other sensitive information when seeking support.

Unlike structured database fields that can be classified and encrypted, free-text support ticket contents cannot be systematically protected through field-level encryption.

The 6.8 million email addresses represent a significant portion of Crunchyroll's user base.

With 17 million paid subscribers and 120 million registered users, the breach exposed roughly 40% of paying subscribers' support history or approximately 5.7% of all registered accounts that contacted support.

Anime streaming audiences skew young.

While Crunchyroll's terms of service require users to be 16+ (or 13+ with parental consent), the platform's audience demographics suggest a substantial proportion of affected users are minors or young adults - a population particularly vulnerable to identity theft and targeted phishing.

1. BPO Agent Workstation Compromised via Phishing. A TELUS Digital employee in India executed a malicious email attachment, deploying infostealer malware. This is the most basic attack vector in the threat landscape - a phishing email with a malicious attachment.

TELUS Digital's endpoint protection failed to detect or block the infostealer before it harvested credentials. No email attachment sandboxing or detonation prevented the malicious payload from executing on the agent's machine.

2. Infostealer Harvested Okta SSO Credentials from Agent Workstation. The malware captured the agent's Okta credentials - either from browser credential storage, session cookies, or keylogging during an active authentication session.

This indicates the agent's workstation lacked endpoint detection and response (EDR) capable of identifying credential harvesting behavior, and Okta session tokens were not bound to the device or IP address in a way that would prevent replay from the attacker's infrastructure.

3. Single Okta Credential Provided Access to Seven Systems. The compromised Okta SSO credentials granted the attacker access to Zendesk, Slack, Google Workspace, Mixpanel, MaestroQA, Wizer, and Jira Service Management.

A single BPO support agent should not require access to customer analytics (Mixpanel), security training platforms (Wizer), IT service management (Jira), and internal communications (Slack).

This reflects excessive privilege assignment - access was granted by role category (support agent) rather than by specific job function.

4. No Conditional Access Policies on BPO Agent Authentication. The attacker authenticated from their own infrastructure using credentials stolen from an India-based TELUS agent.

No conditional access policy blocked the authentication based on source IP, device posture, geographic location, or risk score.

Okta supports adaptive MFA and conditional access policies that can require step-up authentication or block access from unrecognized devices and locations - these were either not configured or insufficiently restrictive for BPO agent accounts.

5. Zendesk Bulk Export Not Restricted or Monitored. The attacker downloaded 8 million support ticket records (100GB) from Zendesk over the 24-hour access window. No data loss prevention controls, export rate limiting, or anomalous download detection flagged the bulk extraction.

Zendesk provides administrative controls to restrict data export permissions, disable CSV/JSON exports for specific roles, and configure API rate limits - these were not effective.

At 100GB over 24 hours, the sustained transfer rate averaged approximately 1.16 MB/s - consistent, steady, and detectable.

6. Credit Card Data Stored in Plaintext Support Tickets. Customers shared credit card numbers in support ticket free-text fields, and this data was stored without redaction, tokenization, or masking.

PCI DSS Requirement 3.4 mandates that primary account numbers be rendered unreadable anywhere they are stored.

Automated PII detection and redaction in support ticket systems - available from Zendesk and third-party vendors - would have stripped or masked card numbers before storage.

7. No User Notification 19 Days After Breach. As of March 31, Crunchyroll has not notified affected users. The company's March 23 public statement was issued only after BleepingComputer contacted them - 11 days after the breach.

Most US state breach notification laws require notification within 30-60 days. " A breach exposing 6.8 million email addresses, IP addresses, and support ticket contents - including credit card data - meets this threshold.

Threat Actor:

• .Unattributed - assessed as SLSH ecosystem peripheral operator (not core ShinyHunters)
• ."hubert" - selling subset on dark web forums ($2,000 for 2M tickets / 1.4M emails)

Attack Vector:

• .Phishing email with malicious attachment to TELUS Digital BPO agent in India
• .Infostealer malware harvested Okta SSO credentials

Compromised Systems (via single Okta SSO credential):

• .Zendesk, Slack, Google Workspace Mail, Mixpanel, MaestroQA, Wizer, Jira Service Management

Exfiltration:

• .~100 GB total, 8M Zendesk support tickets, 6.8M unique emails
• .24-hour access window before revocation

Ransom: $5M demanded (not paid)

• .CCPA/CPRA (California) - Cal. Civ. Code § 1798.150: Private right of action for unauthorized access to unencrypted personal information. Email addresses combined with credit card numbers constitute personal information. Statutory damages: $100-$750 per consumer per incident, or actual damages. With 6.8 million users, even minimum statutory damages could reach $680 million. California AG notification required for breaches affecting 500+ residents. CPRA extends to "service providers" (TELUS Digital) processing data on behalf of businesses.

• .GDPR (EU) - Articles 5(1)(f), 28, 32, 33, 34: Crunchyroll operates across the EU with subscribers in all 27 member states. Article 33 requires 72-hour notification to the lead DPA. Article 34 requires individual notification for high-risk breaches. Article 28 governs processor obligations - TELUS Digital as a data processor must provide sufficient guarantees of appropriate technical and organizational measures. Article 32 requires security appropriate to the risk. Fines up to 4% of Sony Group Corporation's annual global turnover. Potential fine exposure: up to EUR 3.0 billion (4% of ~$85.5B / ~EUR 75B). TELUS Digital as processor faces separate liability under Article 83(4) - up to EUR 10 million or 2% of annual turnover.

• .UK GDPR / DPA 2018 - Crunchyroll operates in the UK with a significant subscriber base. ICO notification required within 72 hours for breaches posing risk to individuals. Fines up to GBP 17.5 million or 4% of annual global turnover.

• .SEC 8-K Disclosure (US) - Sony Group Corporation trades on NYSE (SONY). If the breach is deemed material to Sony's operations or financial condition, an 8-K filing is required within 4 business days of materiality determination. A breach affecting 6.8 million customers of a $1.175 billion acquisition warrants materiality assessment.

• .US State Breach Notification Laws - Credit card exposure triggers notification in all 50 states. Email + IP address combinations trigger notification in states with broad PII definitions. With Crunchyroll's US subscriber base, notifications are likely required in all 50 states. Varying timelines: 30 days (Florida, Colorado), 45 days (Ohio, Vermont), 60 days (most states). AG notification thresholds vary by state.

• .FTC Act Section 5 - Unfair or deceptive trade practices. Failure to implement reasonable security measures for consumer data, particularly given Crunchyroll's existing $16 million VPPA settlement (2023) and current VPPA class action (March 2026). The FTC has demonstrated heightened enforcement against companies with repeat privacy failures.

• .PCI DSS (Payment Card Industry) - Requirement 3.4: Primary account numbers must be rendered unreadable wherever stored. Credit card numbers stored in plaintext support tickets violate PCI DSS. Requirement 9.4 addresses access controls. Crunchyroll's acquiring bank and payment processor may require a forensic investigation (PFI) and could impose fines, increased transaction fees, or processing restrictions.

• .VPPA (Video Privacy Protection Act, 18 U.S.C. § 2710) - While the current VPPA class action (Cabonios v. Crunchyroll, March 5, 2026) concerns Braze analytics disclosure, the breach itself may expose viewing-related data in support tickets (e.g., "I can't watch Episode X of [anime title]"). Support tickets referencing specific content constitute video tape service provider records under the VPPA. Statutory damages: $2,500 per violation.

• .COPPA (Children's Online Privacy Protection Act) - Crunchyroll's terms require users to be 16+ (13+ with parental consent), but anime audiences skew young and age verification is minimal. If children under 13 submitted support tickets, COPPA's enhanced protections apply. The updated COPPA Rule (effective June 23, 2025) imposes heightened data security requirements. Penalty: up to $53,088 per violation.

• .Japan APPI (Act on Protection of Personal Information) - Sony Group Corporation is headquartered in Tokyo. Japanese subscribers' data processed through US-based Crunchyroll systems may trigger APPI cross-border transfer requirements. The Personal Information Protection Commission (PPC) has enforcement authority.

• .Enfield v. Crunchyroll LLC (N.D. Cal., filed March 27, 2026) - Class action alleging negligence, unjust enrichment, and FTC Act violations. Plaintiff Emilia Enfield (Washington) seeks actual damages, treble damages up to $25,000 per class member, injunctive relief requiring security improvements, and mandatory breach notification disclosure. Proposed class: all US individuals whose PII was exposed.

The following gaps exist in the public record for this incident:

1. The specific infostealer malware family deployed on the TELUS agent's workstation has not been identified. Whether it was a commodity infostealer (RedLine, Raccoon, Vidar, Lumma) or a custom tool is unknown - this would inform attribution assessment.

2. The attacker's identity remains unattributed. BleepingComputer confirmed the incident is separate from ShinyHunters' TELUS Digital breach, but did not identify the responsible actor.

The relationship between the original attacker and the "hubert" alias selling data on dark web forums has not been established.

3. The full scope of data accessed from Slack, Google Workspace, Mixpanel, MaestroQA, Wizer, and Jira Service Management has not been disclosed.

Crunchyroll's statement references only "customer service ticket data" - the extent of exfiltration from the other six compromised systems is unknown.

4. Whether the phishing email specifically targeted a TELUS agent known to have Crunchyroll access, or was part of a broader phishing campaign against TELUS employees, has not been disclosed. Targeted versus opportunistic compromise changes the attribution calculus.

5. The exact number of support tickets containing full credit card numbers has not been disclosed. BleepingComputer described "a few" containing full numbers but the quantified scope of PCI-relevant exposure is unknown.

6. Whether Crunchyroll has filed breach notifications with any US state attorney general, the ICO, or any EU data protection authority has not been confirmed as of March 31. The 19-day gap without confirmed regulatory notification may itself constitute a compliance failure under GDPR's 72-hour requirement.

7. Whether TELUS Digital's contract with Crunchyroll has been terminated, modified, or placed under review following two simultaneous breaches (this incident and the ShinyHunters breach) has not been disclosed.

8. The "hubert" dark web listing contains 2 million tickets and 1.39 million emails - significantly less than the claimed 8 million tickets and 6.8 million emails.

Whether this represents a partial dataset, a separately obtained subset, or the actual (lower) scope of exfiltration has not been established.

1. Deploy Phishing-Resistant MFA (FIDO2/WebAuthn) for All BPO Agent Accounts. The infostealer captured Okta credentials because the authentication flow relied on phishable factors - passwords and potentially SMS/TOTP codes.

FIDO2 hardware security keys bind authentication to the legitimate domain at the protocol level.

An infostealer can capture a password and a TOTP code; it cannot capture a FIDO2 assertion because the cryptographic challenge-response is bound to the origin URL and cannot be replayed. This single control would have prevented the breach entirely.

Okta supports FIDO2/WebAuthn natively. Google eliminated employee account takeovers after mandating hardware keys.

2. Enforce Conditional Access Policies for BPO Agent Authentication. Configure Okta to restrict BPO agent authentication to managed devices on known TELUS corporate IP ranges. Require device posture checks (EDR agent running, OS patched, disk encrypted) before granting access.

Block authentication attempts from unrecognized geographic locations or IP addresses. The attacker authenticated from their own infrastructure after stealing credentials from an India-based agent - geolocation and device-based conditional access would have blocked the session.

3. Implement Least-Privilege Access for BPO Agent Roles. A customer support agent does not need access to Mixpanel analytics, Wizer security training, Jira Service Management, or Slack internal channels.

Segment Okta application assignments by specific BPO function: support agents receive Zendesk access only. Create separate Okta groups for each BPO role with application assignments limited to operational necessity.

Remove all non-essential application access from BPO agent profiles immediately.

4. Deploy Data Loss Prevention and Export Controls on Zendesk. Configure Zendesk to restrict bulk data exports for BPO agent roles. Implement API rate limiting on Zendesk data access endpoints.

Deploy DLP monitoring that alerts on export volumes exceeding normal support agent activity patterns - a single agent downloading 8 million tickets (100GB) over 24 hours is orders of magnitude above any legitimate use case.

Zendesk's Admin Center provides granular control over data export permissions, report generation, and API access scoping.

5. Implement Automated PII Redaction in Support Ticket Systems. Deploy automated PII detection and redaction on inbound support tickets to strip or mask credit card numbers, Social Security numbers, passwords, and other sensitive data before storage.

Zendesk marketplace includes PII redaction apps. Third-party solutions from vendors like Nightfall AI can scan ticket content in real time and redact sensitive data. PCI DSS compliance requires this for any system that might store cardholder data.

6. Require EDR and Endpoint Hardening on All BPO Agent Workstations. TELUS Digital's India operations must deploy EDR solutions capable of detecting infostealer malware behavior - credential harvesting, browser data extraction, keylogging.

Enforce application allowlisting on BPO workstations to prevent execution of unauthorized attachments. Disable macro execution in email attachments. Mandate email attachment sandboxing at the gateway level.

The phishing email with a malicious attachment is the oldest attack vector in existence - endpoint controls should have neutralized it before credential theft occurred.

BleepingComputer, TechCrunch, The Record, TechRadar, Cybernews, CyberSecurity News, CX Today, The CyberSec Guru, Netcrook, Screen Rant, Prism News, Insurance Journal, Anime Corner, AnimeMojo, GIGAZINE, Beebom, Anime News Network, TopClassActions, Cyber Daily, SC Media, WebProNews, Cyberpress, Privacy Guides, ResetEra, GameSpot (Sony acquisition), Hollywood Reporter (Sony acquisition)