Crunchyroll Probes 100GB Data Breach via Telus
The threat actor breached Crunchyroll on March 12, 2026, through a compromised employee at outsourcing partner Telus International, stealing 100GB of user data, including 6.8 million email addresses.
Crunchyroll, the Sony-owned anime streaming platform with over 15 million active subscribers, is investigating a significant data breach that security researchers say occurred on March 12, 2026. Bleeping Computer first broke the story after direct contact from the threat actor.
They reported the attacker gained entry not through Crunchyroll servers, but through a compromised employee at Telus International. This Vancouver-based business process outsourcing company handles Crunchyroll customer support operations.
As Reuters confirmed, Crunchyroll has acknowledged it is probing the incident. The breach has exposed what experts in cybersecurity practices consider one of the most underestimated attack surfaces in enterprise security: the BPO supply chain.
How the Telus BPO Attack Unfolded
According to BleepingComputer, the threat actor contacted BleepingComputer, claiming they breached Crunchyroll on March 12 at 9 PM EST.
They gained access via the Okta SSO master login of a support agent at Telus. This agent specifically had access to Crunchyroll support tickets. The attackers claimed to have used malware to infect the agent’s computer and steal their credentials.
PCMag reported that once inside, those stolen Okta credentials functioned as a master key, unlocking multiple internal Crunchyroll applications simultaneously.
Screenshots shared with BleepingComputer showed the credentials gave access to Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jira Service Management, and Slack.
In plain terms, a single infected workstation at an outside vendor gave the attacker total access across Crunchyroll’s entire customer support and internal communication networks.
The attacker downloaded 8 million Crunchyroll Zendesk support records, including 6.8 million unique email addresses, as CNET reports. The threat actor stated that Crunchyroll revoked access 24 hours after the breach.
Despite this short window, the high volume of exfiltrated data suggests the attacker pre-planned the operation and moved quickly once inside.
Why Crunchyroll’s Supply Chain Exposure Matters
Mashable reported that the breach did not exploit a vulnerability in Crunchyroll’s own code or infrastructure; it exploited trust.
Reports note that business process outsourcing companies have become high-value targets for threat actors over the past few years, as they often handle customer support, billing, and internal authentication systems for multiple companies simultaneously.
By compromising a single BPO employee, an attacker can gain access to large volumes of customer and corporate data across multiple client companies in a single operation.
Cybernews reported ShinyHunters gang, running active voice phishing to steal Okta, Microsoft, and Google SSO credentials, separately claimed responsibility for a massive Telus Digital breach, alleging the theft of 700 TBs of internal data.
BleepingComputer was explicitly told by the threat actor behind the Crunchyroll breach that the two incidents are not directly connected. This makes the Crunchyroll attack a separate intrusion that happened to exploit the same BPO weak point.
Crunchyroll and Telus Issue Statements
Screen Rant notes that following requests for comment, Crunchyroll issued a brief public response confirming it is investigating the claims, without disclosing the scope of the breach or notifying its subscriber base directly.
Telus Digital separately confirmed that they are investigating a cybersecurity incident involving unauthorized system access. Upon discovery, they secured their systems and maintained full business operations without evidence of service disruptions or connectivity.
Additional reporting from Game Rant noted that the threat actor also claimed to have sent a $5 million extortion demand to Crunchyroll in exchange for not publicly leaking the stolen data and received no response from the company.
The attacker said Crunchyroll has continued to ignore all communications regarding the incident and has made no public disclosure to affected customers. This silence raises serious compliance questions for cybersecurity researchers, given GDPR and CCPA obligations to notify users when their personally identifiable information has been compromised.
Who the Crunchyroll Breach Actually Affects
For Crunchyroll’s subscribers, the exposure is multi-layered. Cybernews reported that the stolen data includes IP addresses, email addresses, credit card details, and customer analytics containing personally identifiable information. This creates heightened risks of financial fraud, identity theft, and targeted social engineering for affected users.
This breach hits Crunchyroll during a sensitive legal period. The Economic Times reported the company faced a March 2026 class-action lawsuit for sharing viewing data with marketing firm Braze without consent. Consequently, Crunchyroll now faces compounding legal and reputational pressure on two separate fronts simultaneously.
For the broader streaming industry, the incident underscores that even platforms backed by major corporations like Sony are only as secure as their least-protected third-party vendor.
What’s Next For Crunchyroll’s Investigation
Crunchyroll has not confirmed a timeline for completing its investigation or notifying affected users. Reuters reported that the company is actively probing the breach, but has not indicated when or whether it will issue formal user notifications under GDPR or CCPA requirements.
BleepingComputer noted the support tickets accessed by the attacker all referenced Telus confirming the BPO employee connection. The forensic investigation will now need to determine precisely how far the attacker’s lateral movement extended beyond the Zendesk environment.
Source: Crunchyroll probes breach after hacker claims to steal 6.8
