Hackers Hit Crunchyroll: Millions of Anime Fans' Data Exposed

If you're one of Crunchyroll's 15 million subscribers, today is the day to act. Anime streaming service Crunchyroll confirmed today, March 24, 2026, that a data breach involving customer service ticket information occurred following an incident with a third-party vendor, after a hacker claimed to have accessed user data and internal systems. The AI Journal This is breaking news — and the full picture is alarming. At digital8hub.com, we've been covering cybersecurity developments closely across the tech and entertainment world. This breach stands out for its scale, the sensitivity of the data involved, and the brazen behaviour of the attacker. Here's everything you need to know. How Did It Happen? The attack didn't begin inside Crunchyroll's own walls. Crunchyroll had nearly 100GB of data allegedly stolen from its analytics and support systems following an intrusion against an employee at its business process outsourcing partner, Telus. Yahoo! The threat actor gained access to the Okta SSO account of a support agent working for Crunchyroll — allegedly an employee of Telus International — who had access to Crunchyroll support tickets. The threat actors used malware to infect the agent's computer and gain access to their credentials. Google DeepMind Those credentials gave access to various Crunchyroll applications, including Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jira Service Management, and Slack. Google DeepMind In other words — once inside, the attacker had the run of the house. What Data Was Taken? The scale of the theft is staggering. The hacker infected the employee's device with malware and claimed to have stolen 100 gigabytes of data from Crunchyroll's ticketing system. Samples confirmed by International Cyber Digest included IP addresses, email addresses, and other information. Robotics Tomorrow The attackers downloaded 8 million support ticket records from Crunchyroll's Zendesk instance, containing 6.8 million unique email addresses. Some tickets included partial credit card information. Google DeepMind For context — 6.8 million email addresses paired with partial payment data and IP addresses is a goldmine for phishing scams, identity theft, and targeted financial fraud. The Ransom Demand Crunchyroll Ignored Here's where things get even more alarming. The hacker claims to have sent extortion emails to Crunchyroll, demanding $5 million in exchange for not publicly leaking the data, but received no response from the company. Google DeepMind Rather than engaging or notifying subscribers, Crunchyroll stayed silent — until the story broke publicly and forced their hand today. Crunchyroll's Official Statement Today In a statement to Recorded Future News, a spokesperson said: "At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor. We have not identified evidence of ongoing access to systems in relation to these claims." Robotics Tomorrow While that's a carefully worded statement, it confirms the breach is real. The investigation is ongoing, and millions of subscribers are still waiting for direct guidance from the company. Worst Timing: Crunchyroll Was Already Facing a Lawsuit This alleged data breach comes at the worst time for Crunchyroll, as the Sony-owned streaming service was hit with a class-action lawsuit for sharing user information with a third-party marketing company — with claims that email addresses, device IDs, and anime streaming history were being shared without subscribers' knowledge or consent. Google DeepMind Trust in the platform is at an all-time low — and today's breach confirmation will only deepen that concern. What Should You Do Right Now? Don't wait for Crunchyroll to send you an email. Act immediately: 1. Change Your Crunchyroll Password Now Use a strong, unique password you don't use anywhere else. If you've reused this password on other sites, change those too — immediately. 2. Watch Out for Phishing Emails With 6.8 million email addresses in criminal hands, expect a wave of fake Crunchyroll emails. Do not click any unexpected links, even if they look official. 3. Check Your Bank Statements Partial credit card details were among the stolen data. Review your recent transactions and flag anything suspicious with your bank. 4. Use a Password Manager If you're reusing passwords across sites, a password manager will help you generate and store unique credentials for every account. 5. Stay Updated Crunchyroll's investigation is ongoing. Check digital8hub.com for live updates as this story develops throughout the day. The Bigger Lesson: Third-Party Risk Is the Weakest Link Business process outsourcing companies have become high-value targets for threat actors, as they often handle customer support, billing, and internal authentication systems for multiple companies. A single compromised BPO employee can expose large amounts of customer and corporate data across multiple organisations. Google DeepMind Until enterprise platforms hold every vendor to the same security standard as their internal teams, breaches like this will keep happening — and paying subscribers will keep paying the price, in more ways than one.