TL;DR
- Crunchyroll, the world’s leading anime streaming service, has reportedly suffered a massive data breach.
- A “supply chain” attack targeting an employee at Telus Digital, an outsourcing partner in India.
- Approximately 100 GB of sensitive data, including emails, IP addresses, customer analytics, and potentially partial credit card details stolen.
- A sophisticated phishing campaign led to a malware infection on a partner workstation, allowing attackers to harvest Okta credentials.
- All Crunchyroll users are strongly advised to reset their passwords immediately and enable Multi-Factor Authentication (MFA).
- UPDATE: A threat actor “hubert” is selling Crunchyroll Zendesk Database containing 2,000,000 support tickets and 1,394,207 unique email addresses.
- UPDATE: TELUS themselves have Officially confirmed that a breach occurred where 1 petabyte of overall data was stolen that same day
UPDATE: A threat actor “hubert” is selling Crunchyroll Zendesk database. Allegedly, it contains more than 2,000,000 support tickets and 1,394,207 unique email addresses. Exhaustive list was provided as proof as json data. Asking price? $2,000.
UPDATE: TELUS themselves have Officially confirmed that a breach occurred where 1 petabyte of overall data was stolen that same day.
ORIGINAL STORY BELOW
How One Phishing Email Compromised Millions of Weebs
In a startling revelation that has sent shockwaves through the global anime community, Crunchyroll has become the latest victim of a high-stakes supply chain cyberattack. While the company itself maintains a robust security posture, the “weakest link” proved to be an external one: a business process outsourcing (BPO) partner located in India.
The breach, which reportedly saw the exfiltration of 100 gigabytes of highly sensitive customer data, serves as a grim reminder of the vulnerabilities inherent in modern globalized tech infrastructure.
The Anatomy of the Attack: From Phish to PII
The breach did not begin with a direct assault on Crunchyroll’s servers in California. Instead, it started with a meticulously crafted, spoofed phishing email sent to an employee at Telus Digital (formerly Telus International), a major BPO provider that handles customer support and ticketing for Crunchyroll.
According to cybersecurity analysts and leaked reports from the threat actors themselves, the sequence of events was as follows:
- The Hook: An employee in India received a spoofed email that appeared to be a legitimate internal communication.
- The Detonation: The employee, believing the email to be authentic, executed a malicious attachment. This “detonated” an infostealer malware on their local workstation.
- Credential Harvest: Once active, the malware bypassed local defenses to scrape session tokens and login credentials. Crucially, it captured the employee’s Okta credentials.
- The Infiltration: Using these valid (but stolen) credentials, the threat actor bypassed standard authentication and gained direct access to Crunchyroll’s internal environment.
- Data Exfiltration: For roughly 24 hours, the attacker moved laterally through the system, focusing on the Zendesk ticketing system and customer analytics databases.
What Data Was Stolen? A 100GB Treasure Trove
Initial samples provided by the threat actors suggest a wide-reaching compromise. The 100 GB haul is not just a collection of names and email addresses; it is a deep dive into a customer’s streaming habit, personal information and financial data.
1. Personally Identifiable Information (PII)
The most immediate risk to users comes from the exposure of:
- Full Names and Email Addresses: Perfect fuel for future, more targeted phishing campaigns.
- IP Addresses: Which can be used to approximate user locations and track digital footprints.
- Account History: Details on subscription tiers and account age.
2. The Financial Risk: Credit Card Details
Perhaps the most alarming claim is the theft of credit card information. While modern systems typically “mask” credit card numbers (showing only the last four digits), the ticketing system often contains unencrypted logs or “receipt” snapshots that may have been swept up in the exfiltration. If full card details were present in support tickets (where users occasionally send screenshots to resolve billing issues), the risk of financial fraud is extreme.
3. Customer Analytics & Support Tickets
By gaining access to the ticketing system, the attacker has access to every conversation users have had with Crunchyroll support. This includes:
- Personal complaints.
- Billing disputes.
- Verification documents (if any were uploaded).
Full list of details that’s confirmed to have been stolen (depending on the tickets)
- Complete credit card details
- Passwords in plain text
- Email address
- IP Address with IP geolocation
- Phone number
- Full name
- Staff or support agent email
- Billing details
- Browser fingerprints
- Physical address
- Internal API URLs
The “Supply Chain” Problem: Why Outsourcing is a Target
This incident highlights a growing trend in the cyber-underworld: targeting the “middleman.” Why spend months trying to hack a multi-billion dollar giant like Sony (Crunchyroll’s parent company) when you can hack a support partner with potentially looser endpoint security?
Telus Digital handles massive volumes of data for dozens of Fortune 500 companies. By compromising a single workstation at such a firm, hackers gain a “backdoor” into multiple high-value targets.
The “Identity as the New Perimeter”
We spoke with several cybersecurity experts regarding the Crunchyroll incident. The consensus is clear: traditional firewalls are no longer enough.
“This is a classic case where the system trusted the attacker because they had the right keys,” says a lead analyst. “Once they had the Okta credentials, they weren’t ‘hacking’ anymore they were just simply, easily ‘logging in.’ This underscores why hardware-based MFA (like Yubikeys) is becoming non-negotiable for anyone with administrative access to customer data.”
What Should Crunchyroll Users Do Right Now?
If you have an active Crunchyroll account, or have had one in the last five years, you should assume your data was part of the 100 GB leak.
1. Reset Your Password Immediately
Even if you think your account is safe, change your password. Use a unique, complex string of characters that you do not use for any other service.
2. Check Your “Device Management”
Log in to your Crunchyroll account settings and look for the Device Management tab. Click “Deactivate All Devices” to force a logout of every session, including potential unauthorized ones.
3. Enable 2FA (If Available)
While Crunchyroll has been slow to roll out robust two-factor authentication for all users, ensure any linked accounts (like Google or Apple ID) have 2FA enabled.
4. Monitor Your Bank Statements
Keep a close eye on the credit or debit card you use for your subscription. If you see even a $1.00 “test charge” that you don’t recognize, contact your bank immediately to freeze the card.
5. Be Wary of “Crunchyroll” Emails
Expect a surge in phishing. You may receive emails that look like they are from Crunchyroll support asking you to “click here to secure your account.” Do not click. Go directly to crunchyroll.com in your browser.
Frequently Asked Questions (FAQ)
Is Crunchyroll safe to use right now?
Yes, the platform’s streaming services are operational. The breach affected stored data and support systems, not the live video delivery infrastructure. However, your account may be at risk if you haven’t changed your password.
Did the hackers get my password?
The hackers obtained Okta credentials of an employee, which gave them access to the database. Whether they were able to extract hashed user passwords from the analytics data is currently being investigated.
Was my credit card stolen?
Threat actors claim to have credit card details. While Crunchyroll typically uses secure payment processors, data stored in support tickets or analytics logs could contain sensitive financial snippets.
Why was India involved in this breach?
Crunchyroll, like many global companies, outsources its customer service and data entry to partners like Telus Digital, which has major operations in India. The breach happened at the partner level, not Crunchyroll’s HQ.
Will I get a notification if my data was stolen?
Under GDPR and CCPA regulations, Crunchyroll is legally obligated to notify users if their PII was compromised. Watch your inbox for an official “Notice of Data Breach.”
A Wake-Up Call for the Streaming Giant
The Crunchyroll breach is a landmark case for 2026. It proves that even the most beloved brands are only as secure as their least-secure partner. As the investigation continues, the pressure is on Sony and Crunchyroll to provide transparency and better protection for the millions of fans who trust them with their data.
