Full Report
In March 2026, the anime streaming service Crunchyroll suffered a data breach alleged to have impacted 6.8M users. The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, general geographic location and the contents of the support tickets" were exposed. A subset of 1.2M email addresses from an alleged 2M record dataset being sold was later provided to HIBP.
Analysis Summary
# Incident Report: Crunchyroll Zendesk Data Breach
## Executive Summary
In March 2026, the anime streaming service Crunchyroll experienced a significant data breach resulting from the compromise of their third-party customer support platform, Zendesk. The incident allegedly impacted up to 6.8 million users, with attackers exfiltrating PII and support ticket contents, subsequently offering the data for sale on underground forums.
## Incident Details
- **Discovery Date:** March 2026 (Initial claims by threat actor)
- **Incident Date:** March 2026
- **Affected Organization:** Crunchyroll
- **Sector:** Media / Entertainment / Streaming
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Third-party Application Compromise (Zendesk)
- **Details:** Attackers gained unauthorized access to Crunchyroll's Zendesk support environment. The specific mechanism (e.g., credential stuffing, API key leak, or session hijacking) has not been publicly specified, though the breach was localized to the support system.
### Lateral Movement
- **Details:** Based on current reports, there is no evidence of lateral movement into Crunchyroll’s core production infrastructure; the breach appears confined to the data residing within the Zendesk instance.
### Data Exfiltration/Impact
- **Details:** Threat actors exfiltrated a massive dataset. While claims cited 6.8 million users, a verified subset of 1.2 million unique email addresses was confirmed. Extracted data included names, email addresses, IP addresses, and the full text of support tickets.
### Detection & Response
- **How it was discovered:** Discovery occurred via threat intelligence monitoring when a hacker claimed to be selling the dataset on a cybercrime forum.
- **Response actions taken:** 1.2 million records were provided to "Have I Been Pwned" (HIBP) for public notification on April 4, 2026. Crunchyroll initiated a probe into the breach claims.
## Attack Methodology
- **Initial Access:** Exploitation of third-party service provider (Zendesk).
- **Persistence:** Not disclosed; likely temporary access to the support portal.
- **Privilege Escalation:** Likely involved administrative or "Agent" level access within the Zendesk platform to export bulk ticket data.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Potential compromise of support staff credentials or API tokens.
- **Discovery:** Inventory of support tickets and user databases within the Zendesk environment.
- **Lateral Movement:** N/A (Limited to the third-party SaaS environment).
- **Collection:** Automated scraping or bulk export of support ticket logs.
- **Exfiltration:** Transfer of data to external attacker-controlled infrastructure.
- **Impact:** Data breach and reputational damage.
## Impact Assessment
- **Financial:** Potential regulatory fines (GDPR/CCPA) and costs associated with incident response and forensics.
- **Data Breach:** High. 1.2M records confirmed (up to 6.8M alleged). Includes sensitive PII and communication history.
- **Operational:** Disruption to customer support workflows during the investigation.
- **Reputational:** High public visibility due to Crunchyroll's large global fan base and the nature of internal support tickets being leaked.
## Indicators of Compromise
- **Network indicators:** None publicly disclosed; investigation focused on SaaS logs.
- **File indicators:** Dataset files appearing on underground forums (e.g., `crunchyroll_users.csv`).
- **Behavioral indicators:** Unusual bulk export activity or API calls originating from unauthorized IP addresses within the Zendesk admin console.
## Response Actions
- **Containment:** Likely revoked compromised Zendesk credentials and rotated API keys.
- **Eradication:** Cleansing of unauthorized access points within the support portal.
- **Recovery:** Notification to affected users and integration with HIBP for transparency.
## Lessons Learned
- **Key takeaways:** Third-party SaaS platforms (Zendesk, Salesforce, etc.) are high-value targets that house sensitive "unstructured" data like ticket contents.
- **What could have been done better:** Stricter access controls for support staff and more aggressive monitoring for bulk data exports relative to normal support activities.
## Recommendations
- **MFA Implementation:** Enforce phishing-resistant multi-factor authentication (MFA) for all support agents and third-party integrations.
- **Data Minimization:** Implement auto-deletion or redaction policies for support ticket contents after a specific time period (e.g., 90 days).
- **Third-Party Risk Management (TPRM):** Regularly audit the security configurations of SaaS providers and limit API scopes to the minimum necessary permissions.
- **Monitoring:** Set up automated alerts for bulk exports or mass downloads of user data within third-party tools.