Apparently there has been a data breach at Crunchyroll.
100 GB of Personal Data from users including Credit Cards, Email Addresses, IP’s, passwords & more… Are in possession of hackers.
I couldn’t find anything on their channel or their news website at this time.
edit 1:
What Data Was Stolen? A 100GB Treasure Trove
Initial samples provided by the threat actors suggest a wide-reaching compromise. The 100 GB haul is not just a collection of names and email addresses; it is a deep dive into a customer’s streaming habit, personal information and financial data.
1. Personally Identifiable Information (PII)
The most immediate risk to users comes from the exposure of:
Full Names and Email Addresses: Perfect fuel for future, more targeted phishing campaigns. IP Addresses: Which can be used to approximate user locations and track digital footprints. Account History: Details on subscription tiers and account age.
2. The Financial Risk: Credit Card Details
Perhaps the most alarming claim is the theft of credit card information. While modern systems typically “mask” credit card numbers (showing only the last four digits), the ticketing system often contains unencrypted logs or “receipt” snapshots that may have been swept up in the exfiltration. If full card details were present in support tickets (where users occasionally send screenshots to resolve billing issues), the risk of financial fraud is extreme.
3. Customer Analytics & Support Tickets
By gaining access to the ticketing system, the attacker has access to every conversation users have had with Crunchyroll support. This includes:
Personal complaints. Billing disputes. Verification documents (if any were uploaded).
Still no word from Crunchy itself.
edit 2:
Just a bit more tidbits, but still no news from Crunchy itself (emphasis mine).
The threat actor stated that Crunchyroll detected and revoked their access approximately 24 hours after the initial breach on March 12, 2026. Despite the relatively short access window, the volume of data exfiltrated suggests the attacker had pre-planned the operation and moved quickly once inside.
Perhaps more alarmingly, the threat actor told Cyber Digest that Crunchyroll has continued to ignore all communications regarding the incident and has made no public disclosure to affected customers.
This silence is particularly concerning given that Crunchyroll was already subject to a class-action lawsuit in early 2026 over alleged unauthorized sharing of user viewing data with third-party marketing platforms.
Crunchyroll has not responded to requests for comment at the time of publication. Cyber Security News will continue monitoring this developing story.
edit 3:
In a statement to GamesRadar+, a Crunchyroll spokesperson said, “We are aware of recent claims and are currently working closely with leading cybersecurity experts to investigate the matter.”
So, let me get this straight. They are aware, yet here I am checking my inbox and not seeing a warning about a (potential) breach.
Nah man. If you considered Crunchyroll “good” before this breach you still have so much to live for since literally everything must be great ;)