Apparently there has been a data breach at Crunchyroll.
100 GB of Personal Data from users including Credit Cards, Email Addresses, IP’s, passwords & more… Are in possession of hackers.
I couldn’t find anything on their channel or their news website at this time.
edit 1:
What Data Was Stolen? A 100GB Treasure Trove
Initial samples provided by the threat actors suggest a wide-reaching compromise. The 100 GB haul is not just a collection of names and email addresses; it is a deep dive into a customer’s streaming habit, personal information and financial data.
1. Personally Identifiable Information (PII)
The most immediate risk to users comes from the exposure of:
Full Names and Email Addresses: Perfect fuel for future, more targeted phishing campaigns. IP Addresses: Which can be used to approximate user locations and track digital footprints. Account History: Details on subscription tiers and account age.
2. The Financial Risk: Credit Card Details
Perhaps the most alarming claim is the theft of credit card information. While modern systems typically “mask” credit card numbers (showing only the last four digits), the ticketing system often contains unencrypted logs or “receipt” snapshots that may have been swept up in the exfiltration. If full card details were present in support tickets (where users occasionally send screenshots to resolve billing issues), the risk of financial fraud is extreme.
3. Customer Analytics & Support Tickets
By gaining access to the ticketing system, the attacker has access to every conversation users have had with Crunchyroll support. This includes:
Personal complaints. Billing disputes. Verification documents (if any were uploaded).
Still no word from Crunchy itself.
edit 2:
Just a bit more tidbits, but still no news from Crunchy itself (emphasis mine).
The threat actor stated that Crunchyroll detected and revoked their access approximately 24 hours after the initial breach on March 12, 2026. Despite the relatively short access window, the volume of data exfiltrated suggests the attacker had pre-planned the operation and moved quickly once inside.
Perhaps more alarmingly, the threat actor told Cyber Digest that Crunchyroll has continued to ignore all communications regarding the incident and has made no public disclosure to affected customers.
This silence is particularly concerning given that Crunchyroll was already subject to a class-action lawsuit in early 2026 over alleged unauthorized sharing of user viewing data with third-party marketing platforms.
Crunchyroll has not responded to requests for comment at the time of publication. Cyber Security News will continue monitoring this developing story.
Changed my account password and cancelled my subscription.
In their exit survey, I told them the reason I am cancelling is because “your ‘business’ is a massive cyber security liability, and I do not plan to return unless you give my account the most premium tier eubscription for free, forever.”
So its back to the seas for me. I tried being a good person and doing it legally, but if that comes with the massive caveat that my data is going to be harvested/stolen multiple time, then I would rather pirate. At least if my data gets stolen from malware, I didnt pay for it.
Never been a better time to return to the seas, friend!
I mean, I never really left, but its like, how can businesses honestly expect customers to buy their product when the objectively better (and safer in this case) experience is to just pirate the content?
I would like to remind everyone that Crunchyroll is owned by Sony, which has done a generally terrible job at preventing and managing data breaches for decades now
What’s new
Cool, time to update my password. Everything else is aliased thankfully
iirc, ↓ like ᚦ 4× occ…
🙅♀️📉📖
⇩
