Crunchyroll breach claim points to 100GB of stolen user data, but the company has not confirmed it
5 min. read 
Published on
Crunchyroll has not publicly confirmed a data breach as of March 23, 2026. What exists right now is a threat actor claim that about 100GB of user-related data was stolen after access allegedly came through TELUS Digital, a business process outsourcing provider that has already confirmed a separate cybersecurity incident involving unauthorized access to a limited number of its systems.
That makes this a serious but still unverified claim. Reports say the attacker told International Cyber Digest that the intrusion started on March 12, 2026, after malware ran on a TELUS-linked employee workstation, which then allowed access to Crunchyroll systems, including ticketing infrastructure and customer analytics data. Crunchyroll itself has not issued a public statement on its newsroom or other official channels that confirms those details.
If the claim is accurate, the risk could be substantial. The sample described by Cyber Security News allegedly includes IP addresses, email addresses, credit card details, and customer analytics data. That combination would create clear exposure to phishing, account targeting, and possible financial fraud.
What is confirmed so far
TELUS Digital has publicly confirmed that it is investigating a cybersecurity incident involving unauthorized access to a limited number of its systems. The company says it took immediate containment steps, brought in forensics experts, and is notifying impacted customers where appropriate. Reuters separately reported that TELUS is working with law enforcement and that samples shared with Reuters appeared to include data tied to multiple companies, although Reuters said it had not verified the full dataset.
What is not confirmed is the alleged Crunchyroll impact. The current reporting traces back to threat actor claims and sample review by outside outlets, not to a direct public acknowledgment from Crunchyroll or Sony. That means the safest framing is that Crunchyroll is the subject of a breach allegation connected to the wider TELUS incident, not that the company has definitively disclosed a breach.
What the attacker claims was taken
According to the published report, the threat actor says it exfiltrated data from Crunchyroll’s customer analytics environment and ticketing systems. The same report says the stolen sample included several categories of personally identifiable and payment-related information.
| Alleged data type | Reported examples |
|---|---|
| Account-related data | Email addresses, IP addresses |
| Financial data | Credit card details |
| Support and service data | Ticketing-system information |
| Analytics data | Customer analytics records containing PII |
Source: published description of the sample reviewed by Cyber Security News.
Why this claim matters
This story stands out because it fits a broader supply-chain style pattern. BPO providers often sit close to support systems, account workflows, moderation tools, and customer operations across many brands. If one provider is compromised, attackers may try to pivot into multiple clients from the same foothold. Reuters reported that data samples linked to the TELUS incident appeared to reference many companies, which supports the idea that downstream customer exposure is a real concern investigators now need to check carefully.
The timing also adds pressure on Crunchyroll. The company has already faced renewed scrutiny over user-data handling this month because of a fresh privacy lawsuit tied to alleged sharing of viewing data. That lawsuit is separate from this breach claim, but it increases the attention around any new report involving customer information.
What Crunchyroll users should watch for
Crunchyroll users do not yet have official confirmation that their information was exposed. Still, anyone with an account should watch for password reset emails they did not request, unusual billing alerts, suspicious support messages, and phishing attempts that reference anime subscriptions, failed payments, or account verification. This is precautionary advice based on the kinds of data the attacker claims to hold.
For the company, the next important step is clarity. If Crunchyroll confirms any impact, users will need to know what data categories were involved, whether payment information was actually exposed, and whether any credentials or sessions should be reset.
Key points
- TELUS Digital has confirmed a cybersecurity incident involving unauthorized access to a limited number of its systems.
- Crunchyroll has not publicly confirmed a breach as of March 23, 2026.
- The threat actor claims about 100GB of user-related data was stolen.
- Reported sample data allegedly includes IP addresses, email addresses, credit card details, and customer analytics data.
- The current public case relies on attacker claims and outside reporting, not on an official Crunchyroll disclosure.
FAQ
No. As of March 23, 2026, the public reporting says Crunchyroll has not acknowledged the alleged breach.
TELUS Digital has confirmed a cybersecurity incident affecting a limited number of its systems. The alleged Crunchyroll impact remains unconfirmed publicly.
Published reporting says the sample included IP addresses, email addresses, credit card details, and customer analytics data.
The report says the attacker claimed access began after malware executed on a workstation tied to Crunchyroll’s outsourcing partner, TELUS. That detail remains based on the attacker’s version of events.
There is no official Crunchyroll notice telling users to do so yet. As a precaution, users can still enable stronger login security, watch payment activity closely, and be cautious with phishing emails until more facts emerge.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages