Crunchyroll Data Breach - 100 GB of User Data Exfiltrated
Basically, hackers stole a lot of personal data from Crunchyroll using a compromised employee's access.
A major data breach at Crunchyroll has led to the exfiltration of 100 GB of user data. This incident affects many users, exposing them to risks like identity theft and fraud. Crunchyroll has yet to acknowledge the breach publicly, raising concerns about user safety.
What Happened
On March 12, 2026, a serious data breach occurred at Crunchyroll, the popular anime streaming service owned by Sony. A threat actor claims to have exfiltrated approximately 100 GB of personally identifiable information (PII). The breach reportedly happened through a compromised employee at Telus, Crunchyroll's business process outsourcing (BPO) partner. This employee executed malware on their workstation, allowing the attacker to gain access to Crunchyroll’s internal systems.
Once inside, the attacker was able to move laterally within the network, infiltrating sensitive customer-facing systems, including the ticketing infrastructure. This incident aligns with a broader pattern of attacks targeting BPO providers, which often handle critical authentication and billing tools for multiple clients. This makes them attractive targets for cybercriminals seeking to maximize their impact with a single intrusion.
Who's Affected
The breach potentially impacts a large number of Crunchyroll users. The exfiltrated data includes sensitive information such as IP addresses, email addresses, credit card details, and customer analytics data. This type of data poses significant risks, including identity theft, financial fraud, and targeted phishing campaigns. The threat actor has provided samples of the stolen data, confirming the seriousness of the breach.
Despite the significant volume of data stolen, Crunchyroll reportedly detected and revoked the attacker's access within 24 hours. However, the speed of the attack suggests that the breach was premeditated, with the attacker moving quickly to extract data once inside the system. As of now, Crunchyroll has not publicly acknowledged the breach or communicated with affected users, raising concerns about transparency and accountability.
What Data Was Exposed
The nature of the exposed data is alarming. The threat actor claims to have accessed a variety of sensitive information, including:
- IP addresses
- Email addresses
- Credit card details
- Customer analytics data
The presence of credit card information and other PII increases the stakes for affected users, who may now face heightened risks of identity theft and financial fraud. The lack of communication from Crunchyroll regarding this incident is particularly troubling, especially given the company's recent legal troubles over unauthorized data sharing with third-party marketing platforms.
What You Should Do
If you are a Crunchyroll user, it’s crucial to take immediate action to protect your personal information. Here are some steps you can follow:
- Change your passwords: Update your Crunchyroll account password and any other accounts that use the same credentials.
- Monitor your financial statements: Keep an eye on your bank and credit card statements for any unauthorized transactions.
- Enable two-factor authentication: If available, turn on two-factor authentication for added security on your accounts.
- Stay informed: Keep an eye on Crunchyroll's announcements for any updates regarding the breach and further guidance.
This breach serves as a reminder of the vulnerabilities associated with outsourcing and the importance of robust cybersecurity measures across all levels of a company’s operations.