One Employee Clicked the Wrong Thing—Now 6.8 Million Crunchyroll Users' Data Is Gone

How It Happened

The attack began when a threat actor social engineered an employee at TELUS Digital, Crunchyroll's business process outsourcing partner. The employee was tricked into executing malware on their workstation, giving the attacker a foothold inside TELUS's network.

From there, the attacker moved laterally into Crunchyroll's internal environment, reaching customer facing systems including the company's ticketing infrastructure. The intrusion occurred on March 12, 2026, and Crunchyroll says it was contained within 24 hours. But in that window, approximately 100GB of data was exfiltrated.

This is the same pattern that hit TELUS Digital weeks earlier. ShinyHunters stole 1 petabyte from TELUS Digital using credentials from a completely different breach. TELUS's outsourcing employees have now been the entry point for two major data thefts in a single month.

What Was Stolen

The hackers claimed to have obtained personal information for approximately 6.8 million users. The compromised data reportedly includes:

• Customer email addresses
• IP addresses and approximate location data
• Credit card details (extent unclear)
• Customer service ticket contents, including private communications with support staff
• Analytics data showing viewing habits and account activity

Crunchyroll's official statement was more measured, saying the compromised information is "primarily limited to customer service ticket data." The company has not confirmed whether payment information was included, and its investigation is ongoing.

The Third Party Problem

Crunchyroll did not get hacked directly. Its outsourcing partner did. This is becoming the dominant pattern in major data breaches. The company that holds your data might have strong security, but the contractor that handles customer support, analytics, or payment processing might not.

TELUS Digital processes customer data for hundreds of companies. A single compromised employee at TELUS does not just affect one client. It creates a chain reaction across every company whose data flows through that vendor. This is exactly what happened when a Zendesk connected contractor exposed 38 million Europeans' data earlier this year.

What Crunchyroll Users Should Do

If you have a Crunchyroll account, take these steps now:

• Change your password. If you use the same password anywhere else, change it there too.
• Enable two factor authentication if Crunchyroll offers it.
• Watch for phishing emails. Attackers who have your email address and know you use Crunchyroll will send targeted phishing messages disguised as account security alerts or subscription notifications.
• Monitor your credit card statements for unauthorized charges, especially small test transactions that precede larger fraud.
• Be skeptical of support emails. Now that customer service ticket data is in attacker hands, phishing emails could reference real conversations you had with Crunchyroll support.

Your Data Is Only as Safe as the Weakest Vendor

Every company you give your email address to extends your attack surface. Your data does not just live on that company's servers. It flows through customer support platforms, analytics tools, payment processors, and outsourcing partners, each of which is a potential point of failure.

You cannot control how Crunchyroll or its vendors handle your data after you hand it over. But you can limit what you share in the first place. Use unique email aliases for different services, avoid storing payment information on accounts you use infrequently, and treat every account as potentially compromised.