A threat actor has claimed responsibility for stealing around 100 GB of sensitive user data from Crunchyroll, the Sony-owned anime streaming platform, after allegedly gaining access through a compromised employee at outsourcing provider Telus.
The alleged breach reportedly took place on March 12, 2026. At the time of publication, Crunchyroll had not publicly confirmed the incident.
Alleged Initial Access Through Telus
According to details shared with Cyber Digest, the attacker said the intrusion began when a Telus employee allegedly executed malware on a workstation. That infection reportedly gave the threat actor an entry point into systems connected to Crunchyroll.
From there, the attacker claimed they were able to move across internal resources and reach customer-related infrastructure, including ticketing and analytics environments.
Link to the Wider Telus Digital Incident
The reported intrusion appears to mirror claims tied to the broader Telus Digital breach disclosed on March 12, 2026. In that case, attackers alleged they had accessed data from Telus and several organizations that rely on the company for business process outsourcing services.
Telus works with multiple clients across customer support, AI data operations, and moderation services. Because of that, it can be an attractive target for threat actors looking to gain access to several downstream organizations through a single compromise.
What Data Was Allegedly Stolen
Cyber Digest said it reviewed a sample of the allegedly stolen data. The sample reportedly included several categories of personally identifiable information and customer-related records, including:
- Email addresses
- IP addresses
- Customer analytics data
- Payment card details
If confirmed, the exposure of this information could create serious risks for affected users, including phishing, identity theft, and financial fraud.
🚨‼️ BREAKING: Crunchyroll breached through outsourcing partner in India.
— International Cyber Digest (@IntCyberDigest) March 22, 2026
A threat actor exfiltrated data from Crunchyroll's ticketing system and also managed to pull 100 GB of personally identifiable customer analytics data.
We've analyzed sample data and it includes IP… pic.twitter.com/BcxGN1Y2Lv
Access Window and Possible Impact
The threat actor claimed the data was taken from Crunchyroll’s customer analytics systems and ticketing platform. They also alleged that their access was revoked roughly 24 hours after the initial compromise.
Even within that short period, the reported volume of exfiltrated data suggests the operation may have been planned in advance and carried out quickly once access was established.
No Public Disclosure From Crunchyroll
The attacker further claimed that Crunchyroll did not respond to repeated attempts at communication and has not publicly notified users about the alleged breach.
The report comes at a sensitive time for the company. Earlier in 2026, Crunchyroll faced legal scrutiny over allegations that user viewing data had been shared with third-party marketing platforms without proper consent.
Investigation Still Unconfirmed
Crunchyroll had not responded to requests for comment at the time of publication. Until the company publicly confirms the incident, the full scope and accuracy of the threat actor’s claims remain unverified.
No Comment! Be the first one.