A significant data breach has reportedly occurred at Crunchyroll, the popular anime streaming service owned by Sony. A threat actor claims to have extracted roughly 100 GB of sensitive user data by infiltrating the systems through an employee at Crunchyroll’s business partner, Telus. This incident highlights ongoing vulnerabilities in outsourced service partnerships.
The breach is said to have taken place on March 12, 2026, although Crunchyroll has yet to confirm or address the event publicly. The intrusion was facilitated by malware executed on a Telus employee’s computer, granting the attacker access to Crunchyroll’s internal network and critical customer-facing systems.
Details of the Security Breach
The threat actor revealed to Cyber Digest that the malware infection allowed for lateral movement within Crunchyroll’s infrastructure, particularly affecting its ticketing system. This method of attack is consistent with patterns seen in prior breaches, including a recent incident involving Telus Digital, where several companies relying on Telus for business process outsourcing services were compromised.
Outsourcing companies, which handle essential tools for authentication and billing across multiple clients, present an attractive target for cybercriminals seeking to maximize their reach with minimal effort. This breach underscores the critical need for robust security measures in third-party service providers.
Impact of the Data Exfiltration
Cyber Digest’s analysis of a sample of the stolen data reveals it includes highly sensitive information such as IP addresses, email addresses, credit card details, and personally identifiable information (PII) from customer analytics. The exposed data poses serious risks, such as identity theft and financial fraud, for the affected individuals.
According to the threat actor, despite being detected and having their access revoked within 24 hours, they succeeded in exfiltrating a substantial amount of data. This suggests the operation was well-planned and executed swiftly, raising concerns about the effectiveness of Crunchyroll’s current cybersecurity defenses.
Crunchyroll’s Response and Legal Concerns
The attacker claims that Crunchyroll has not responded to any communications regarding the breach and has not informed its customers. This lack of transparency is troubling, especially since Crunchyroll was involved in a class-action lawsuit earlier this year related to unauthorized data sharing with marketing companies.
As of now, Crunchyroll has not issued any statements or provided comments on the situation. The cybersecurity community and affected users are keenly awaiting further developments. Cyber Security News will continue to follow and report on this unfolding story.
Stay informed on this and other cybersecurity news by following us on Google News, LinkedIn, and X. Reach out to us if you have insights or stories to share.
