Anime fans' credit cards might be stolen from Sony streamer Crunchyroll

Published: 23 March 2026
Last updated: 23 March 2026
credit cards stolen from crunchyroll

Sony’s anime streaming giant, Crunchyroll, had data stolen after hackers targeted the company's third-party provider.

Key takeaways:
  • A threat actor linked to the ShinyHunters group allegedly breached Crunchyroll via a compromised employee at third-party provider Telus, exfiltrating around 100GB of data from Crunchyroll’s analytics and support systems.
  • The stolen data reportedly includes highly sensitive information such as IP and email addresses, credit card details, and customer analytics data containing PII, creating heightened risks of financial fraud, identity theft, and targeted social engineering for affected users.
  • The intrusion allegedly began when a Telus employee executed malware, allowing lateral movement into Crunchyroll’s internal systems.
  • Although access was reportedly detected and revoked within 24 hours, the attackers still claim to have transferred a large volume of data.
  • ShinyHunters has been active since 2020 and is associated with numerous high‑profile breaches, including Odido, Aura, and Bumble.

The Sony-owned anime streaming service Crunchyroll has allegedly been hacked. A threat actor has allegedly exfiltrated around 100GB of user data from the streamer.

ADVERTISEMENT

Attackers contacted a cybersecurity newsletter, Cyber Digest, and claimed they had gained access to Crunchyroll’s data through a compromised employee at its Vancouver-based business-process outsourcing partner, Telus.

Telus acknowledged a data security incident last week in which an unauthorized party accessed a “limited number” of its systems. The company said it is investigating the issue, adding there is “no evidence” of disruption to customer connectivity or services.

Reportedly, the ShinyHunters gang took credit for the Telus Digital attack, claiming to have stolen 700 terabytes of ​internal data.

The security breach allegations come shortly after Crunchyroll faced a class-action lawsuit for sharing users' viewing habits with third-party marketing firms without consent.

What Crunchyroll data has been stolen?

The alleged breach occurred on March 12th, 2026, and has not been publicly confirmed by Crunchyroll at the time of publication.

According to information shared with Cyber Digest, the attacker breached systems when a Telus employee executed malware on their workstation. This reportedly allowed the attacker to establish initial access and move laterally into Crunchyroll’s internal systems.

ADVERTISEMENT

The attacker claims the data was extracted from Crunchyroll’s analytics systems and support tools, and among the stolen data are:

  • IP addresses
  • Email addresses
  • Credit card details
  • Customer analytics data (PII)

While there is no confirmation from the company, it is hard to evaluate the scope of the breach.

“If the breach is confirmed to be legitimate, the data exposure increases the risks of financial fraud, identity theft, and social engineering attacks for the affected individuals,” the Cybernews research team explained.

The threat actor stated that Crunchyroll quickly detected the access and revoked it within 24 hours. However, the volume of data allegedly stolen suggests the operation was well planned, and the short time window was enough to exfiltrate information.

Who are ShinyHunters?

Active since 2020, ShinyHunters has been linked to a string of high-profile hacks targeting ​major companies around the world.

It has recently caused chaos after breaching the Dutch telecom provider Odido. A compromise of its customer relationship management system left nearly 7 million customers exposed, which is nearly a third of the country's population. After negotiations failed, the attackers leaked the stolen data online.

Starting this year, ShinyHunters reportedly ran an active voice phishing campaign to steal single sign-on (SSO) credentials for Okta, Microsoft, and Google accounts.

Last week, the gang targeted the identity protection firm Aura with a phishing attack and extracted 900,000 user records.

ADVERTISEMENT

The gang has also claimed breaches at Bumble, Match Group (which operates Hinge, Match, and OkCupid), and Panera Bread.

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked