Person watching streaming content on laptop in dark room

TL;DR: On March 12, 2026, attackers linked to ShinyHunters breached Sony's anime streaming service Crunchyroll and stole 100GB of data, roughly 6.8 million unique customer records. They got in through a compromised Okta account belonging to a TELUS Digital support agent in India. The stolen data includes names, email addresses, IP addresses, location data, and the contents of support tickets (some containing credit card details customers shared with support). Crunchyroll detected and revoked access within 24 hours, but the attackers already had the data. Twelve days later, Crunchyroll still hasn't notified affected users directly.

How They Got In

ShinyHunters didn't hack Crunchyroll directly. They went through the back door: a third-party support contractor.

On March 12, 2026, attackers phished an employee working for TELUS Digital, Crunchyroll's business process outsourcing partner based in India. The employee clicked a malicious link containing hidden malware. That malware stole their Okta single sign-on credentials [1][2].

With those credentials, the attackers logged directly into Crunchyroll's internal systems. Specifically, they accessed Zendesk, the customer support platform containing years of support ticket history [3].

Crunchyroll detected the unauthorized access and revoked it within 24 hours. But 24 hours is plenty of time to download 100GB of data when you know what you're looking for.

What They Took

According to the attackers and security researchers who reviewed samples, the breach exposed [3][4][5]:

  • 8 million support tickets from Crunchyroll's Zendesk instance
  • 6.8 million unique email addresses tied to Crunchyroll accounts
  • Customer names and login usernames
  • IP addresses and general geographic location data
  • Support ticket contents: whatever customers wrote to support

Here's the problem with support tickets: customers share sensitive information when asking for help. BleepingComputer confirmed that some tickets contain credit card details: last four digits, expiration dates, and in a few cases, full card numbers that customers typed into support conversations [3].

If you ever contacted Crunchyroll support about a billing issue and included your card details in the message, that information may now be in criminal hands.

The TELUS Problem

This is the third confirmed victim in ShinyHunters' ongoing TELUS-sourced campaign.

On March 11, 2026, TELUS Digital confirmed that ShinyHunters had stolen nearly 1 petabyte of data from their systems, including FBI background checks, voice recordings, and customer data from 28 companies. The attackers originally got into TELUS using credentials stolen from the August 2025 Salesloft Drift breach [6].

The attack chain:

  1. Salesloft Drift compromised (August 2025) → credentials stolen
  2. TELUS Digital compromised (late 2025) → 1PB of data exfiltrated
  3. Crunchyroll compromised (March 2026) → via TELUS employee's Okta credentials

One vendor compromise cascading into another. This is what supply chain attacks look like.

Crunchyroll's Response (Or Lack Thereof)

Crunchyroll issued a brief statement acknowledging "an incident with a third-party vendor" that "primarily" affected "customer service ticket data" [4][5].

What they haven't done:

  • Sent notification emails to affected users
  • Published details about what specific data was compromised
  • Confirmed how many users are affected
  • Offered credit monitoring or identity protection

According to multiple reports, the attackers contacted Crunchyroll seeking ransom. Crunchyroll ignored all messages [2]. That's not unusual: companies often refuse to engage with attackers. But it also means the data is more likely to end up on criminal marketplaces.

The breach happened March 12. As of March 24, most affected users have no idea their data was stolen.

Are You Affected?

If you have a Crunchyroll account and have ever contacted customer support, your data may be in this breach.

Crunchyroll has over 14 million subscribers globally. The breach contains 6.8 million unique email addresses, roughly half the subscriber base. The affected accounts appear to be those who interacted with customer support at some point.

Check Have I Been Pwned. Security researcher Troy Hunt typically adds major breaches within days. As of publication, this breach hasn't been added yet, but check back.

What You Should Do

Change Your Password

If you use the same password anywhere else, change it everywhere. The breach includes login usernames, so credential stuffing attacks are inevitable.

Enable Two-Factor Authentication

Crunchyroll supports 2FA. If you haven't enabled it, do it now. Go to Account Settings → Security → Two-Factor Authentication.

Watch Your Credit Card

If you ever shared card details in a support ticket, monitor that card for unauthorized charges. Consider requesting a new card number from your bank.

Watch for Phishing

Attackers now know you're a Crunchyroll user and have your email. Expect targeted phishing emails claiming to be from Crunchyroll. Don't click links. Go directly to crunchyroll.com.

The Bigger Problem

This breach is a perfect example of why vendor security matters more than your own.

Crunchyroll could have the best security team in streaming. Wouldn't matter. Their support contractor got phished, and attackers walked out with 6.8 million customer records. Crunchyroll's own systems weren't breached. Their vendor's were.

ShinyHunters has been running this playbook all year. In 2026 alone, they've hit Betterment, Bumble and Match Group, Figure, CarGurus, and now TELUS and Crunchyroll. The common thread: vendor access, Okta credentials, and companies that didn't know their third parties had been compromised until the data was already gone.

TELUS Digital handles customer service for dozens of major brands. Crunchyroll won't be the last company breached through that vector.

Sources

  1. Cybersecurity News: Crunchyroll Data Breach: Threat Actor Claims Exfiltration of 100 GB of User Data (March 2026)
  2. Animehunch: Crunchyroll Suffers Major Data Breach; 100 GB Of Sensitive User Information Stolen
  3. BleepingComputer: Crunchyroll probes breach after hacker claims to steal 6.8M users' data (March 2026)
  4. Screen Rant: Crunchyroll Officially Responds to Data Breach With New Statement (March 2026)
  5. Game Rant: Crunchyroll Working With Cyber Security Experts on Data Breach (March 2026)
  6. Google Cloud: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift