On Jan 23, 2025, an account on X published a list of login details for multiple Crunchyroll Premium accounts.
The post quickly gained traction, with some users in the comments confirming that their account information was included in the leaked list.
Others who saw the post warned fellow users to reset their passwords immediately.
While the post only lists a handful of accounts, the extent of the leak is not known at this point.
Update (Jan 24, 2025): The user’s account has been suspended. Crunchyroll has also responded to leak of login credentials. Check their statement here.
Despite the urgency, many users reported issues with resetting their passwords. For those facing difficulties, it is recommended that you use the “forgot password” feature to initiate a secure password reset.
Having account credentials exposed in such a manner poses significant risks. Netizens noted that if users are reusing the same passwords across multiple platforms, this leak could potentially give hackers access to other accounts, including email, banking, and social media.
This exposed login details, in the worst case, can lead to a ripple effect of security breaches if users fail to act swiftly.
That said, the source of the leak remains unclear. On Jan 9, 2025, another account had posted a list of Crunchyroll Premium login details on X. However, that post failed to gain any traction.
It is not confirmed whether this breach stems from Crunchyroll’s own systems or a third-party compromise, such as phishing attacks or credential stuffing.
Credential stuffing involves cybercriminals using stolen passwords from one platform to attempt logins on another, capitalizing on password reuse.
Source: X
Why would you share the actual tweet with this info on your website? You’re being a part of the problem by spreading it to a wider audience with compromised passwords and accounts.
Many of the posted accounts show under https://haveibeenpwned.com/ as from stealer logs which points to this being accounts stolen by malware rather than a data breach.
Crunchyroll also probably doesn’t store user passwords as that is considered bad practice.
So the original twitter post is just a grifter grifting.
Why would you share the actual tweet with this info on your website? You’re being a part of the problem by spreading it to a wider audience with compromised passwords and accounts.
Many of the posted accounts show under https://haveibeenpwned.com/ as from stealer logs which points to this being accounts stolen by malware rather than a data breach.
Crunchyroll also probably doesn’t store user passwords as that is considered bad practice.
So the original twitter post is just a grifter grifting.