Crunchyroll Data Breach: 100 GB of User Data Allegedly Exfiltrated
In a recent cybersecurity incident, a threat actor claims to have exfiltrated approximately 100 GB of personally identifiable information (PII) from Crunchyroll, the popular anime streaming service owned by Sony. The breach reportedly occurred on March 12, 2026, and was facilitated through a compromised employee at Telus, Crunchyroll’s business process outsourcing (BPO) partner.
Details of the Breach
According to the threat actor, the intrusion was initiated when a Telus employee inadvertently executed malware on their workstation. This action provided the attacker with a foothold into Crunchyroll’s internal systems, allowing lateral movement into sensitive customer-facing infrastructures, including the company’s ticketing system. This method of attack is consistent with a broader pattern observed in the Telus Digital incident confirmed on the same date, where threat actors claimed to have stolen data from Telus and multiple companies relying on its BPO services.
Data Exfiltrated
Cyber Digest analyzed a sample of the exfiltrated data provided by the threat actor, revealing highly sensitive customer information, such as:
– IP addresses
– Email addresses
– Credit card details
– Customer analytics data containing PII
The threat actor asserts that a total of 100 GB of data was extracted from Crunchyroll’s customer analytics environment and ticketing system. The exposure of such data poses significant risks, including identity theft, financial fraud, and targeted phishing campaigns for affected subscribers.
Timeline and Response
The attacker claims that Crunchyroll detected and revoked their access approximately 24 hours after the initial breach. Despite the relatively short access window, the volume of data exfiltrated suggests a premeditated operation executed swiftly once inside the system.
Alarmingly, the threat actor stated that Crunchyroll has not responded to any communications regarding the incident and has not publicly disclosed the breach to affected customers. This lack of transparency is particularly concerning given that Crunchyroll was already subject to a class-action lawsuit earlier in 2026 over alleged unauthorized sharing of user viewing data with third-party marketing platforms.
Implications for Users
For Crunchyroll subscribers, this breach underscores the importance of proactive measures to safeguard personal information. Users are advised to:
1. Change Passwords Immediately: Update Crunchyroll account passwords and ensure they are strong and unique.
2. Monitor Financial Statements: Regularly review bank and credit card statements for unauthorized transactions.
3. Be Vigilant Against Phishing Attempts: Be cautious of unsolicited communications requesting personal information or containing suspicious links.
4. Enable Two-Factor Authentication (2FA): If available, activate 2FA to add an extra layer of security to accounts.
Broader Context
This incident highlights the vulnerabilities associated with third-party service providers. BPO partners often have access to sensitive data and systems, making them attractive targets for cybercriminals. Organizations must ensure that their partners adhere to stringent cybersecurity protocols to mitigate such risks.
As of now, Crunchyroll has not issued an official statement regarding the alleged breach. Users are encouraged to stay informed through official channels and take necessary precautions to protect their personal information.
