I was scanning my feed when a screenshot of a support ticket thread flashed past—email addresses, IPs, partial payment info, and a timestamp. You can feel the stomach drop when a service you trust looks suddenly porous. For Crunchyroll subscribers the question is simple: did 100GB of user data just walk out the door?
Crunchyroll Data Breach: Cybersecurity Sources Report 100GB Leak
Observation: People on X were sharing the same post and the same unease within minutes.
I followed the breadcrumbs to a cybersecurity account on X, which claims a threat actor accessed Crunchyroll through an outsourcing partner, Telus. The post says an employee at that partner ran malware, which let the attacker into Crunchyroll’s ticketing system—where support interactions and some account details are stored. The ticketing system was a filing cabinet left open, and the report says the attacker grabbed about 100GB of data.
The timeline the researcher posted is specific: the attacker claims the intrusion began on March 12, 2026, and that Crunchyroll didn’t detect it for about 24 hours before access was blocked. The same post says the actor tried to contact Crunchyroll and received no public acknowledgment. That account has provided sample files showing IP addresses, email addresses, and payment card details—but none of this has been validated by Crunchyroll yet.
This echoes a similar scare in January 2025, when a claimed breach provoked headlines until Crunchyroll’s spokesperson disputed those findings, as reported by CBR. The pattern is familiar: fast rumor, slow corporate answer, and a lot of anxiety for users.
Did Crunchyroll confirm the breach?
No official confirmation has appeared from Crunchyroll at the time I’m writing. Public-facing silence doesn’t equal nothing happened, but it does mean the claims remain unverified. I recommend watching Crunchyroll’s official channels and @IntCyberDigest on X, and checking security updates from Telus if they publish any statements.
What data was exposed in the leak?
The posted samples reportedly include email addresses, IP addresses, and credit card details, along with ticket contents that can contain personal notes. If payment card data is involved, banks and processors typically flag suspicious charges; still, I advise you to check statements immediately and report anything unfamiliar to your card issuer.
Steps Crunchyroll Users Should Take After Data Breach Reports
Observation: When a rumor like this hits, my inbox fills with requests for “what to do first.”
If you use Crunchyroll, start with the basics: change your password now and do not reuse that password on other sites. If you reused it elsewhere, change those passwords as well. Password reuse is the fastest route from a site leak to a bank notification.
Enable two-factor authentication wherever possible. Crunchyroll does not offer native 2FA yet, so I recommend a third-party solution such as SAASPASS or a password manager that supports time-based one-time passwords. That adds a layer so a stolen password alone won’t give an attacker full access.
Don’t keep payment details stored in accounts if you can avoid it. If you already have a saved card, watch your statements and report suspicious charges to your bank immediately. If a card is compromised, your issuer can often issue a replacement quickly at no cost to you.
Be skeptical of emails claiming to be from Crunchyroll asking you to click links or confirm details. Phishers move fast after breaches. Hover before you click, check sender addresses, and contact Crunchyroll support through the official site if something looks off.
Finally, consider the wider risk: third-party contractors like Telus create a larger attack surface for companies. If the 100GB claim is accurate, the fallout won’t be just a single inbox—it can be a slow faucet that stains the whole basement.
I will keep watching this story and update if Crunchyroll or Telus posts concrete findings; you should treat this as an elevated hygiene alert and act now rather than later. If a contractor’s mistake can expose 100GB of user data, who will be held accountable?