Skip to content
Supply chainContained

Leak at Crunchyroll

On 24 March 2026, anime streaming service Crunchyroll confirmed a data breach traced to a compromised third-party support vendor (Telus), exposing customer support-ticket data — names, emails, IP addresses and partial payment-card details — with a hacker claiming ~8M ticket records and ~6.8M unique email addresses.

Victim
Crunchyroll
SectorMedia

On 24 March 2026, Crunchyroll — the Sony-owned anime streaming platform — confirmed a data breach affecting its customer support operations. The intrusion was not a direct compromise of Crunchyroll's core systems but a supply-chain incident: attackers gained access through Telus Digital, the third-party vendor that runs Crunchyroll's customer support.

The breach originated on 12 March 2026, when an attacker compromised an Okta single sign-on account belonging to a Crunchyroll support agent working for Telus — reportedly via a phishing email and malware on the agent's workstation. With that access, the attacker reached Crunchyroll's Zendesk support system and exfiltrated support-ticket data before the access was revoked, roughly 24 hours later.

Data reported exposed (drawn from support tickets) includes:

  • First and last names
  • Email addresses
  • IP addresses and general geographic location
  • Support-ticket contents
  • Partial payment-card details (e.g. last four digits, expiry dates), with full card numbers only in rare cases

The threat actor — linked in reporting to the ShinyHunters group — claimed to have stolen around 100 GB of data, approximately 8 million support-ticket records and about 6.8 million unique email addresses; these figures are the attacker's claims and remain unverified. A reported $5 million ransom demand went unanswered. Crunchyroll said it cut off the unauthorized access, has found no evidence of ongoing intrusion, and is working with external cybersecurity experts; a class-action lawsuit has since been filed in the United States.

Sources

  1. tomsguide.frhttps://www.tomsguide.fr/piratage-de-crunchyroll-des-cartes-bancaires-de-clients-seraient-compromises/
  2. techcrunch.comhttps://techcrunch.com/2026/03/24/crunchyroll-confirms-data-breach-after-hacker-claims-unauthorized-access/
  3. upguard.comhttps://www.upguard.com/news/crunchyroll-data-breach-2026-04-07
  4. classaction.orghttps://www.classaction.org/news/crunchyroll-failed-to-prevent-march-2026-data-breach-class-action-lawsuit-alleges

Related incidents

Supply chainOngoing

Leak at PornHub

On 16 December 2025, adult-content platform Pornhub disclosed that historical analytics data on select Premium users — including email addresses and search/viewing history — was stolen via third-party provider Mixpanel; ShinyHunters claimed ~200 million records and demanded a ransom.

Victim
PornHub
Supply chainContained

Leak at Le Point

On 18 November 2024, French news magazine Le Point disclosed a breach traced to a compromised subscriber-management subcontractor, exposing the names, postal/email addresses and phone numbers of an estimated 900,000 current and former readers.

Victim
Le Point
Supply chainContained

Leak at Alan (via Almerys)

On 23 May 2026, French digital health insurer Alan warned members that a cyberattack on its third-party claims processor Almerys had exposed their personal data — names, dates of birth, social security numbers and insurance contract details — though payment, password and health data were spared.

Victim
Alan