Crunchyroll Suffers Major Data Breach; 100 GB Of Sensitive User Information Stolen

Anime streaming giant Crunchyroll has reportedly suffered a massive cybersecurity breach, compromising over 100 GB of highly sensitive customer data, leaving millions of subscribers vulnerable to fraud and identity theft.

The security breach happened on March 12, 2026, when an employee working for Telus Digital, Crunchyroll’s business process outsourcing partner located in India, was successfully tricked by an email containing hidden malware.

Upon executing the malicious software, the hacker (threat actor) stole the victim’s Okta credentials and gained direct, unrestricted access to Crunchyroll’s internal network environment.

Once inside the company’s digital infrastructure, the attacker specifically targeted the anime streamer’s internal ticketing system and customer analytics databases.

The platform detected the intrusion and revoked their access after 24 hours. However, despite the relatively short window of opportunity, the threat actor managed to exfiltrate 100 GB of personally identifiable information.

Cyber Digest analyzed a sample of the stolen dataset, confirming it includes user IP addresses, email addresses, credit card details and other sensitive information.

This exposure puts affected subscribers at severe risk of financial fraud, targeted phishing attacks, and identity theft.

This is where the threat actor allegedly stole 100 GB of Crunchyroll's analytics data, which also includes IP addresses. pic.twitter.com/4AcAzcsneZ

— International Cyber Digest (@IntCyberDigest) March 22, 2026

Despite the severity of the data theft, Crunchyroll is reportedly ignoring all direct communications from the hackers and still has not publicly disclosed the breach to its subscriber base.

Meanwhile, Canadian telecommunications giant Telus confirmed on March 12 that its digital services arm suffered a severe multi-month security incident. ShinyHunters claimed responsibility for the Telus breach, alleging the theft of nearly 1 petabyte of corporate data related to customer support and content moderation operations.

However, it remains officially unconfirmed if the Crunchyroll intrusion is directly connected to the ShinyHunters campaign, especially considering Telus was also rumored to be a victim of a separate cybersecurity attack earlier in January.

This is the second time the popular streaming service has suffered a significant data breach affecting its user base. In January 2025, a massive leak of premium Crunchyroll login details and passwords surfaced online.

This latest security disaster arrives at an exceptionally bad time for the Sony-owned platform. Just weeks prior to this hacking incident, Crunchyroll was hit with a major class-action lawsuit for allegedly violating the Video Privacy Protection Act by secretly sharing its users’ viewing habits with a third-party marketing company.

This legal conundrum follows a nearly identical one in 2023 where the company was forced into a USD 16 million settlement over similar privacy violations, painting a consistently troubling picture of how the service handles its viewers’ digital footprint.