The Crunchyroll 100GB Data Breach allegation first appeared on social media on March 22, 2026, when a cybersecurity account on X stated that a Telus Digital employee had executed malware, granting a threat actor access to Crunchyroll’s ticketing system and enabling the exfiltration of emails, IP addresses, and credit‑card details. A subsequent Reddit discussion noted that the breach originated at Telus Digital rather than Crunchyroll’s own infrastructure, but acknowledged that Crunchyroll was affected. LinkedIn posts from security firms echoed the claim, specifying that the data volume reached roughly 100 GB and included subscriber analytics.
Allegations and Source Details
Reports indicate that the threat actor accessed Crunchyroll’s environment on March 12, 2026, and remained inside for about 24 hours before the intrusion was detected. The actor allegedly attempted to contact Crunchyroll directly but received no response, and the company has not publicly acknowledged the incident. A post on X from @The_Cyber_News asserted that approximately 100 GB of personally identifiable information (PII) was stolen from the Sony‑owned platform. Similar claims appeared on Instagram, Facebook, and TikTok, all citing the same March 12 date and the involvement of a Telus employee.
Data Compromised
According to the cybersecurity sources, the exposed data set includes IP addresses, email addresses, and credit‑card information of Crunchyroll subscribers. The breach reportedly involved the ticketing system where user support queries and related metadata are stored. No official statement from Crunchyroll has confirmed the exact categories of data that were accessed, leaving the scope of the leak unverified.
Timeline and Company Response
The alleged breach began on March 12, 2026, when malware executed on a Telus Digital employee’s system provided a foothold for the threat actor. Crunchyroll’s internal security teams reportedly detected the unauthorized access within 24 hours and blocked the actor’s entry point. Despite this detection, the company has not issued a press release, blog post, or notification to users regarding the incident. Security analysts note that the lack of public communication does not automatically invalidate the claims, but it does prevent independent verification of the breach’s scale and impact.
User Precautions
Cybersecurity experts recommend that Crunchyroll users take immediate protective steps regardless of the breach’s confirmation status. Users should change their Crunchyroll passwords and ensure that the new password is not reused on other services. Enabling two‑factor authentication through a trusted authenticator app adds an extra layer of security to the account. Monitoring bank statements and credit‑card activity for unauthorized transactions is also advised, given the potential exposure of payment details. Utilising a service such as Have I Been Pwned can help users determine whether their email address appears in known data leaks.
Expert Opinions
Analysts from Secure Network Solutions India Private Limited characterised the incident as a significant data theft involving 100 GB of subscriber data via a compromised outsourcing partner. Beebom’s cybersecurity desk noted that while the claims remain unverified by Crunchyroll, the technical details provided by the threat actor appear credible and warrant user vigilance. The Reddit thread r/news highlighted the importance of distinguishing between a breach at Telus Digital and a direct Crunchyroll intrusion, yet recognised that any compromise of the outsourcing partner’s system poses a risk to Crunchyroll’s data.
