Crunchyroll, the popular anime streaming platform, is currently investigating an alleged breach that may have led to the leak of personal data belonging to 6.8 million of its users.

The stolen user data from Crunchyroll appears to have been obtained by exploiting vulnerabilities at a third-party company, Telus International, which Crunchyroll outsources its customer support to.

"We are aware of recent claims and are currently working closely with leading cyber security experts to investigate the matter," Crunchyroll said in a statement.

The cybersecurity outlet Bleeping Computer says that the hacker reached out to them to provide information and proof of the stolen data.

The hacker says that they infected a customer support agent's computer with malware and gained access to the employee's Okta login credentials. From there, the hacker gained access to multiple accounts that Crunchyroll has with other third-party services such as Zendesk, Google Workspace Mail, Slack, Mixpanel, Jiro Service Management, Wizer, and MaestroQA.

According to the hacker, the breach occurred on March 12, and their access was revoked after 24 hours. However, within that time frame, the hacker downloaded 8 million support ticket records from Crunchyroll's Zendesk account. There were 6.8 million unique email addresses included in these tickets.

The hacker showed Bleeping Computer screenshots detailing the types of personal information allegedly stolen from Crunchyroll's users, which includes full names, usernames, email addresses, IP addresses, general geographic location, and what was included in the support tickets. Credit card information does not appear to have been stolen; however, if a user provided the last four digits of their card number or their card's expiration date in a support ticket, then that information would be among the stolen data.

The hacker claims to have sent a $5 million ransom to Crunchyroll for the data, but the hacker says that they have not heard back from the company.

This Tweet is currently unavailable. It might be loading or has been removed.

The International Cyber Digest account on X also shared that they received screenshot evidence of the breach from the hacker. The account also reported that 100GB of data was stolen.

According to the cybersecurity firm SOCRadar, a post was published on a hacker forum on the same day of the alleged hack titled "Crunchyroll email and IP." The post included obscured sample data allegedly from the data stolen in the breach.

Interestingly, Telus had also confirmed with Bleeping Computer on March 12 that the company had suffered a breach from the well-known hacker group ShinyHunters. However, it is believed that the Crunchyroll-related breach at Telus is unrelated to the hacker group.

Crunchyroll has not yet issued a statement or acknowledgement of the potential breach to its users.