What happened
A threat actor claimed to have exfiltrated about 100 GB of user data from Crunchyroll after allegedly gaining access through a compromised employee at Telus, the anime platform’s business process outsourcing partner. According to the report, the intrusion reportedly took place on March 12, 2026 and gave the attacker access to Crunchyroll’s internal environment, including customer-facing systems and ticketing infrastructure. A sample of the allegedly stolen data reviewed by the publication included IP addresses, email addresses, credit card details, and customer analytics data. As of the report’s publication, Crunchyroll had not publicly acknowledged the breach.Â
Who is affected
Crunchyroll users whose information may have been stored in the company’s customer analytics and ticketing systems are potentially affected, based on the threat actor’s claim and the sample data described in the report.Â
Why CISOs should care
The incident highlights the risks associated with third-party outsourcing providers that manage customer support and related systems, where a single compromise can provide access to sensitive customer environments and data.Â
3 practical actions
- Review third-party access to customer systems. Assess the exposure created by outsourcing providers that handle support, billing, or authentication workflows.Â
- Investigate possible ticketing and analytics exposure. Check whether sensitive customer data in support and analytics platforms could be accessed through partner environments.Â
- Prepare customer notification and response plans. The report says Crunchyroll had not publicly acknowledged the incident at the time of publication, despite the alleged exposure of user data.Â
For more coverage of major security incidents affecting organizations worldwide, explore our reporting on Data Breaches.
John Kevin Hao is a news and feature writer covering cybersecurity, technology, and business targeted for professional audiences.