Crunchyroll is reportedly dealing with a serious data breach, although the company has not officially confirmed the incident yet. A threat actor has claimed that around 100GB of user data has been exfiltrated from the platform.
According to the claim, the breach took place on March 12, 2026. The attacker reportedly gained access through a compromised employee system at Telus, which provides business process outsourcing services to Crunchyroll.
The attack is said to have started after malware was executed on the employee’s workstation. This allowed the attacker to enter Crunchyroll’s internal systems and move across different environments. Reports suggest that the attacker was able to access customer-facing systems, including support and analytics tools.
Security researchers who reviewed a sample of the data claim it includes sensitive user information. This reportedly includes email addresses, IP addresses, credit card details, and other personal data. If verified, such data exposure could lead to risks like identity theft, financial fraud, and targeted phishing attacks.
The attacker claims that access to the system lasted for around 24 hours before being detected and blocked. Despite this short window, a large volume of data was reportedly extracted, which indicates that the attack may have been planned in advance.
This incident is also linked to a larger issue involving Telus. Attackers are said to be targeting such companies because they handle systems for multiple clients. A single breach can give access to data from different platforms.
At the time of writing, Crunchyroll has not made any public statement about the incident. The company has also not responded to queries about the breach.
