Crunchyroll Hit by Massive 100GB Data Breach; Sensitive User Data Leaked Online

SAN FRANCISCO — Crunchyroll, the world’s largest anime streaming service, is reportedly grappling with a catastrophic security failure. According to a developing report from International Cyber Digest, a threat actor has successfully exfiltrated 100 GB of personally identifiable information (PII), including sensitive financial details and internal communications.

The breach, which allegedly took place on March 12, 2026, appears to have targeted both Crunchyroll’s customer ticketing infrastructure and its internal analytics environment. Despite the scale of the theft, Crunchyroll has yet to issue a public disclosure, sparking concerns among its 15 million+ active subscribers.

The intrusion did not stem from a direct vulnerability in Crunchyroll’s server architecture. Instead, investigators point to a supply chain attack targeting TELUS Digital, an outsourcing partner that handles customer support and data operations for the streaming giant.

Technical logs suggest the breach was initiated when a Telus employee unknowingly executed infostealer malware on their workstation. This allowed the attacker to capture Okta credentials, granting them a direct backdoor into Crunchyroll’s internal environment. The threat actor reportedly maintained access for a full 24 hours before credentials were revoked.

100GB of Data: What Was Stolen?

Leaked samples analyzed by OtakuKart confirm the depth of the exposure. The exfiltrated data includes:

• Partial credit card details linked to active subscriptions.
• Full names, email addresses, and Precise IP addresses.
• Access to the Crunchyroll Enterprise Grid on Slack, specifically channels like #news-crunchyroll, #ithelpdesk, and #share-the-crunch.
• User tables showing active accounts across the United States, India, Mexico, Brazil, and New Caledonia.

Official Statements

While Crunchyroll has remained tight-lipped, their partner TELUS Digital released a statement confirming an investigation into unauthorized access to their systems:

TELUS Digital is investigating a cybersecurity incident involving unauthorized access to a limited number of our systems. Upon discovery, we took immediate steps to address the unauthorized activity and secure our systems against further intrusion. We are actively managing the situation and continue to monitor it closely.

All business operations within TELUS Digital remain fully operational and there is no evidence of disruption to customer connectivity or services. As part of our response, we have engaged leading cyber forensics experts to support our investigation, and we are working with law enforcement.

We have implemented additional security measures to further safeguard our systems and environment. As our investigation progresses, we are notifying any impacted customers, as appropriate. The security of our customers’ information continues to be our highest priority.

Sources close to the matter claim the threat actor attempted to contact Crunchyroll’s security team following the breach, but those messages have reportedly gone ignored. This lack of transparency mirrors recent criticisms of major tech firms who delay bad news to avoid subscriber churn.

The leaked data, particularly the combination of IP addresses and partial financial info, makes Crunchyroll users prime targets for highly convincing phishing campaigns and credential stuffing attacks. At OtakuKart, we recommend resetting your password immediately and enabling two factor authentication.

This is a developing story. We have reached out to Sony/Crunchyroll for an official comment and will update this article as more information becomes available.