The Sony-owned anime streaming service Crunchyroll has reportedly experienced a major data breach involving the theft of nearly 100GB of sensitive user information on March 12, 2026. While the company has yet to officially confirm the incident, the leak is believed to have originated from a malware infection on a third-party employee's system at the outsourcing firm Telus.

Reports indicate that the security failure began when a compromised account at Telus, a business process service provider, gave threat actors a foothold into internal systems. By executing malware on an employee’s computer, the attackers were able to bypass initial security layers and move laterally through various platforms linked to Crunchyroll’s daily operations. This access reportedly included critical infrastructure used for customer support and internal ticketing tools.

The scale of the data extraction is significant, with nearly 100GB of data allegedly being pulled from the company’s environment. This information is said to contain a wide range of sensitive details regarding the platform's user base. Because the breach involved interconnected systems, the scope of the exposure may extend beyond simple login credentials to include more detailed interaction logs and support history.

Despite the specific details regarding the date of the attack and the method of entry, Crunchyroll has not yet released a public statement verifying the claims. The silence from the streaming giant has left many subscribers concerned about the safety of their personal data and the potential for secondary attacks, such as phishing or identity theft. Investigations into the matter are likely ongoing as cybersecurity experts track the movement of the stolen files.

This incident highlights the growing risks associated with third-party outsourcing and the vulnerabilities that can arise when partner systems are not as strictly guarded as primary servers. If the reports are accurate, the breach demonstrates how a single infected workstation at a service provider can compromise the data of millions of users on a global platform. The reliance on external partners for customer service creates a broad attack surface that remains a top target for modern hackers.

As the situation develops, users are being encouraged to monitor their accounts for suspicious activity and update their security credentials where possible. Until an official confirmation or denial is provided by Sony or Crunchyroll, the full extent of the damage remains speculative. However, the level of detail provided in the initial reports suggests a serious lapse in the security chain between the primary company and its contractors.

Source: https://www.digit.in/news/general/crunchyroll-data-breach-hackers-claim-100gb-of-user-data-stolen-via-third-party-access.html