On March 12, 2026, a threat actor gained access to Crunchyroll’s customer support ticketing system after compromising an Okta account belonging to an employee of Telus Digital, Crunchyroll’s business process outsourcing (BPO) partner. The attacker exfiltrated over 8 million customer support tickets containing data for approximately 6.8 million unique users. Exposed data included names, login names, email addresses, IP addresses, geographic location, and contents of support tickets (some of which contained partial or full payment card numbers). The attacker demanded a $5 million extortion payment from Crunchyroll, which did not respond. A class action lawsuit was filed in March 2026 alleging Crunchyroll failed to implement adequate security controls for its BPO partners. This breach is likely related to the simultaneous large-scale ShinyHunters campaign against Telus Digital itself (see 2026-03_telus-digital-shinyhunters.yaml), which occurred on the same date and also involved compromised Okta SSO accounts at Telus.