What happened and how one login unlocked millions of records
Crunchyroll, the Sony owned anime streaming platform with over 120 million registered users, confirmed a data breach in late March 2026 after a threat actor contacted security reporters with proof of access. The breach itself had happened two weeks earlier, on March 12 and Crunchyroll's own systems were never directly touched.
The attacker's entry point was Telus Digital, a business process outsourcing company that handles customer support for Crunchyroll. A Telus support agent's device was infected with malware, which captured their Okta single sign-on credentials. With those credentials, the attacker logged into Crunchyroll's internal platforms like Zendesk, Slack, Google Workspace, and several others as a legitimate support employee.
The attacker never hacked Crunchyroll itself, they compromised a vendor employee's account that had legitimate access. This is the same playbook used in multiple major breaches in the past two years. Your data is only as safe as the least-secure third party with access to it.
Within a 24-hour window before access was revoked, the attacker downloaded approximately 8 million support ticket records from Crunchyroll's Zendesk instance. They then demanded $5 million from the company to delete the data. Crunchyroll did not respond to the demand. The attacker later contacted security outlet BleepingComputer with samples to prove the breach was real.
The attack has been linked by several researchers to ShinyHunters, the same threat group that in March 2026 also claimed a breach of Telus Digital itself, stealing nearly 1 petabyte of data including FBI background checks and voice recordings for 28 companies that used the contractor.
What data was actually exposed
Support tickets are deceptively information-rich. Customers write to support teams when something goes wrong about billing errors, account access issues, playback problems and in those conversations they often include personal details they wouldn't share elsewhere.
Confirmed exposed data from the Crunchyroll breach includes:
- Full name and login username for each account that ever submitted a support ticket
- Email address 6.8 million unique addresses across the 8 million tickets
- IP address at the time of each support interaction
- General geographic location derived from IP data
- Full contents of support tickets including whatever the user typed
- Partial payment details in cases where users included card information in their messages (last four digits and expiry in most cases; a small number contained full card numbers)
And included any payment details in that message even just the last four digits and that information was in the stolen tickets. Check your card statements and consider requesting a new card number from your bank if you're concerned.
The timeline of the attack also matters: the attacker stated they downloaded support data going back to mid-2025. If you had a support interaction with Crunchyroll in roughly the past year, your ticket was likely in the dataset.
DataLeakz scans breach databases including newly reported leaks and see if your Crunchyroll email has been flagged.
What Crunchyroll users should do right now
As of the time of writing, Crunchyroll has not directly notified affected users. The company acknowledged the breach publicly but has not sent individual emails to the 6.8 million accounts involved. Don't wait for a notification, act now.
Change your Crunchyroll password
Even though passwords were not confirmed stolen, your email is now in circulation. If you reused your Crunchyroll password anywhere else, change it at those accounts immediately! attackers will try credential stuffing.
Enable 2FA on your Crunchyroll account
If you haven't already, add an authenticator app as a second factor. This stops account takeover even if an attacker has your email and password from another source.
Watch for phishing emails impersonating Crunchyroll
Attackers with your name, email, and support ticket history can craft very convincing phishing messages. Be suspicious of any Crunchyroll-branded email asking you to click a link, verify your account, or re-enter payment details.
Review your payment method if you contacted support about billing
If you ever included card details in a support conversation, contact your bank. Request a new card number proactively the cost is low, the peace of mind is high.
Monitor your email address for future exposure
Breach data gets recycled and resold. Your email from this leak will appear in combo lists for months or years. Set up breach monitoring so you're alerted when it surfaces in new datasets.
The bigger picture: vendor access is the new attack surface
The Crunchyroll breach is one of at least three confirmed incidents tied to the ShinyHunters group's compromise of Telus Digital in early March 2026. In that single campaign, attackers reportedly accessed data from 28 companies that used Telus as a support outsourcing partner all by working their way through vendor credentials rather than attacking each company directly.
This is not new, but it's accelerating. Discord suffered a near-identical Zendesk breach in late 2025, exposing 5.5 million users the same way. Clorox sued its IT contractor Cognizant after a 2024 breach. The attack pattern is consistent: compromise a BPO employee, use their legitimate access to download everything within reach before detection, then demand a ransom.
For users, the lesson is uncomfortable: you have no visibility into how many third parties have access to your data at any service you use. A company can have excellent internal security and still be breached through a contractor in another country. The only practical response is to assume breach, use unique passwords everywhere, and monitor your email for downstream exposure.
This breach is a reminder that customer support conversations are stored — often for years — and are a target. If a support agent needs to verify a payment, let them look it up on their end. Never type card numbers into a chat or ticket field.
Common questions
Probably not directly, the stolen data came from support tickets, not the main user database. If you never submitted a support request, your data was unlikely to be in the 8 million tickets taken. That said, your email may still surface in secondary datasets if the attacker combines this breach with others. Running a breach check is worth doing regardless.
That's a personal decision, but the breach itself isn't a reason to cancel if you otherwise value the service. The more important actions are changing your password, enabling 2FA, and staying alert for phishing. Cancelling doesn't remove your historical data from the stolen dataset.
As of early April 2026, Crunchyroll has only issued public statements through media outlets no direct user notifications have been reported. This is unfortunately common in the early stages of a breach, particularly when the company is still determining scope. Under GDPR, affected users in the EU should receive notification. US notification timelines vary by state law. Don't wait, act proactively.
Sources
- BleepingComputer: Crunchyroll probes breach after hacker claims to steal 6.8M users' data (March 2026)
- TechCrunch: Crunchyroll confirms data breach after hacker claims unauthorized access (March 2026)
- The Record (Recorded Future): Anime streaming giant Crunchyroll says hacker stole customer service ticket data (March 2026)
- State of Surveillance: ShinyHunters Hit Crunchyroll — 6.8 Million Anime Fans Exposed via TELUS Breach (March 2026)