Crunchyroll is facing serious claims of a possible data breach after reports suggest hackers may have accessed user information through a third party vendor.
Quick Summary – TLDR:
- Around 100GB of data may have been exposed in the alleged breach.
- Attack reportedly happened via outsourcing partner Telus Digital.
- Data could include emails, IP addresses, and credit card details.
- Crunchyroll has not officially confirmed the breach yet.
What Happened?
Reports from cybersecurity account International Cyber Digest claim that an attacker gained access to Crunchyroll’s systems through a third-party vendor. The breach is believed to have occurred on March 12 and lasted for about 24 hours before being contained.
🚨‼️ BREAKING: Crunchyroll breached through outsourcing partner in India.
— International Cyber Digest (@IntCyberDigest) March 22, 2026
A threat actor exfiltrated data from Crunchyroll’s ticketing system and also managed to pull 100 GB of personally identifiable customer analytics data.
We’ve analyzed sample data and it includes IP… pic.twitter.com/BcxGN1Y2Lv
Alleged Breach Linked to Third Party Vendor
The reported attack highlights a familiar cybersecurity issue where external partners become the weakest entry point. According to the claims, the attacker entered Crunchyroll’s internal systems through Telus Digital, an outsourcing partner that handles certain operations.
The initial access reportedly came from an employee system that was infected with malware. Once inside, the attacker is said to have moved laterally across systems and accessed internal tools, including the company’s ticketing system.
From there, a significant amount of data was allegedly extracted.
- Estimated data size: 100GB
- Type of data: Customer analytics and internal records
- Possible exposed information:
- Email addresses
- IP addresses
- Credit card details
Screenshots circulating online allegedly show samples of this data, although these claims have not been independently verified.
Telus Security Incident Adds More Context
The situation becomes more concerning due to a separate but related development involving Telus Digital. The company recently confirmed that it experienced a cybersecurity incident involving unauthorized access to its systems.
In an earlier statement, Telus said, “threat actors claimed to have stolen nearly 1 petabyte of data from the company in a multi-month breach.” The company also noted that it is actively investigating the incident and has taken steps to secure its systems.
Telus further stated that it has implemented additional security measures and is notifying affected customers where necessary. However, it has not publicly confirmed whether Crunchyroll was directly impacted as part of this broader incident.
Crunchyroll Yet to Confirm Breach
As of now, Crunchyroll has not officially acknowledged the alleged data breach. This leaves several important questions unanswered, including:
- The exact number of users affected.
- The full scope of the data accessed.
- Whether financial information was actually compromised.
Until the company provides an official update, the current reports remain unverified but concerning.
What Users Should Do Now?
Even without confirmation, the nature of the claims suggests users should take precautionary steps, especially since streaming platforms handle sensitive personal and payment data.
Here are some immediate actions users can consider:
- Change your Crunchyroll password immediately.
- Enable two factor authentication if available.
- Monitor bank and card statements for unusual activity.
- Stay alert for phishing emails or suspicious messages.
These steps can help reduce the risk of potential misuse of personal data.
Growing Concern Around Third Party Risks
This incident once again highlights how third-party vendors can become critical vulnerabilities in modern digital systems. Even if a company has strong internal security, its overall safety is only as strong as its external partners.
The reported attack follows a common pattern seen in recent cyber incidents:
- Malware infection on a vendor system.
- Unauthorized access through that system.
- Movement into internal company networks.
- Extraction of sensitive data.
Such attacks are becoming more frequent as companies rely heavily on outsourcing and external services.
SQ Magazine Takeaway
I think this situation is a reminder that data security is no longer just about one company. It is about the entire chain of partners connected to it. Even if Crunchyroll did everything right internally, a weak link outside can still put millions of users at risk.
If these claims turn out to be true, it will be another strong example of why companies must take third party security as seriously as their own systems. For users, it is a good wake up call to stay cautious and proactive with personal data.
