A threat actor has allegedly exfiltrated approximately 100 GB of sensitive user data from Crunchyroll, the Sony-owned anime streaming platform, following a compromise linked to its outsourcing partner, Telus.
The incident, reportedly occurring on March 12, 2026, remains unacknowledged by Crunchyroll at the time of writing, raising concerns across the cybersecurity community.
According to details shared with Cyber Digest, the breach originated from a compromised employee workstation within Telus, a business process outsourcing (BPO) provider that supports Crunchyroll’s customer operations.
The employee is said to have executed malware, granting the attacker initial access to the corporate environment.
From this foothold, the threat actor reportedly conducted lateral movement, eventually gaining access to internal systems, including customer support and ticketing infrastructure.
This method of intrusion reflects a broader and increasingly exploited attack vector targeting third-party service providers.
Notably, the incident aligns with claims surrounding a wider Telus Digital breach disclosed on the same date, where attackers alleged access to multiple organizations leveraging Telus for customer support, AI data processing, and content moderation services.
Because BPO providers often maintain privileged access to authentication workflows and billing systems, they represent high-value targets capable of enabling large-scale supply chain compromises.
Cyber Digest reports that it reviewed a sample of the stolen data, which includes several categories of personally identifiable information (PII).
The exposed dataset allegedly contains IP addresses, email addresses, credit card information, and customer analytics data tied to user behavior.
If verified, this combination of data significantly increases the risk of identity theft, financial fraud, and highly targeted phishing campaigns against Crunchyroll users.
The threat actor claims that the entire 100 GB dataset was extracted from Crunchyroll’s customer analytics environment and associated ticketing systems within a limited timeframe.
Access to the environment was reportedly detected and revoked by Crunchyroll within approximately 24 hours.
Despite the short dwell time, the scale of exfiltration suggests a well-prepared operation, likely involving automated data collection and rapid staging techniques to maximize data theft before containment.
Another point of concern is the alleged lack of communication from Crunchyroll following the incident.
The threat actor claims that attempts to contact the company have been ignored, and no formal disclosure has been made to users who may be affected.
This silence may attract regulatory scrutiny, especially in jurisdictions with strict data breach notification requirements.
The timing of the incident adds further complexity. Earlier in 2026, Crunchyroll faced a class-action lawsuit over allegations that it shared user viewing data with third-party marketing platforms without proper consent.
A new breach involving sensitive user data could intensify legal and reputational challenges for the company.
As of now, Crunchyroll has not responded to requests for comment. Security experts advise users to remain vigilant, monitor financial accounts, and be cautious of phishing attempts leveraging Crunchyroll-related themes.
Cyber Security News will continue to monitor developments as more information emerges about this incident and its broader implications for third-party risk management in cloud-driven service ecosystems.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google
