“`html
An adversarial actor is said to have extracted around 100 GB of personally identifiable information (PII) from Crunchyroll, the anime streaming behemoth owned by Sony, following access via a compromised employee at its outsourcing associate, Telus.
The breach, which allegedly transpired on March 12, 2026, has yet to be publicly recognized by Crunchyroll as of the current writing.
The malevolent actor, who reached out to Cyber Digest, claimed that the breach occurred after an employee at Telus, Crunchyroll’s business process outsourcing (BPO) affiliate, executed malware on their workstation.
This malware infection afforded the intruder a pathway into Crunchyroll’s internal setting, permitting lateral movement into sensitive systems that engage directly with customers, including the company’s ticketing framework.
This method of attack reflects a wider trend noted in the Telus Digital incident confirmed on March 12, 2026, where adversaries asserted they had pilfered data from Telus and many enterprises relying on the firm for BPO services such as customer assistance, AI data management, and content oversight.
Since BPO providers manage authentication and billing functionalities across diverse client settings, they continue to be appealing high-value targets for adversaries attempting to amplify breach impact through a lone compromise.
Data Extraction by Intruders
Cyber Digest examined a subset of the exfiltrated data shared by the adversarial actor, which included extremely sensitive categories of consumer information, such as:
- IP addresses
- Email addresses
- Credit card information
- Customer analytics details (PII)
The actor asserts that a total of 100 GB of data was extracted from Crunchyroll’s customer analytics environment and ticketing system. The nature of the disclosed data presents severe risks of identity theft, financial deceit, and targeted phishing endeavors for the impacted subscribers.
The adversary claimed that Crunchyroll identified and revoked their access roughly 24 hours post the initial breach on March 12, 2026. Despite the relatively brief access duration, the amount of data extracted indicates the adversary had meticulously planned the operation and acted promptly once penetrated.
Moreover, the adversary informed Cyber Digest that Crunchyroll has consistently disregarded all communications pertaining to the incident and has yet to make any public disclosure to the affected customers.
This lack of response is particularly alarming, considering that Crunchyroll was already under a class-action lawsuit earlier in 2026 concerning alleged unauthorized sharing of user viewing data with third-party marketing services.
As of publication, Crunchyroll has not replied to inquiries for comments. Cyber Security News will persist in tracking this evolving narrative.
“`