EvilCorporations.com — Corporate Accountability Project
Data Breach · Class Action 2026 · Streaming Industry
Crunchyroll Exposed 6.8 Million Users’ Private Data in March 2026 Breach
Sony’s anime streaming giant left millions of paying subscribers vulnerable through negligent vendor oversight, then underplayed the scope of the disaster when it came to light.
Critical Severity
TL;DR
Crunchyroll, the Sony-owned anime streaming platform with millions of paying subscribers, allowed a hacker to steal 8 million support ticket records and approximately 6.8 million unique email addresses, along with IP addresses, usernames, and partial payment details. The breach happened through a third-party outsourcing vendor called Telus, whose employee’s workstation was infected with malware, granting a criminal 24 hours of undetected access to Crunchyroll’s systems. The company knew it was responsible for protecting this data, knew the risks of using outsourced vendors with weaker security, and still failed to monitor, audit, or enforce adequate protections. When the breach became public on March 22, 2026, Crunchyroll issued a statement that deliberately downplayed the scale and avoided explaining what actually happened.
Millions of fans trusted Crunchyroll with their personal information. That trust was betrayed. Demand better security standards, and hold corporations accountable when they treat your data as disposable.
Key Numbers
6.8M
Unique email addresses stolen
8M
Support ticket records downloaded
100GB
Estimated total data exfiltrated
24 Hrs
Time hacker had undetected access
10 Days
Delay before public statement
$5M+
Minimum controversy threshold (CAFA)
The Breakdown
Core Allegations
What Crunchyroll did — 7 points
| 01 | A hacker used malware on a Telus employee workstation to access Crunchyroll’s corporate environment, including its customer support and ticketing infrastructure, on March 12, 2026. | high |
| 02 | The hacker maintained undetected access for approximately 24 hours and downloaded 8 million support ticket records from Crunchyroll’s Zendesk system, containing roughly 6.8 million unique email addresses. | high |
| 03 | Stolen data reportedly includes full names, usernames, email addresses, IP addresses, approximate location data, support ticket text, and partial payment card details (such as last four digits and expiration dates) shared voluntarily in tickets. | high |
| 04 | The total stolen dataset is estimated at approximately 100GB, with samples posted on criminal forums the same day the breach was discovered publicly. | high |
| 05 | Crunchyroll failed to adopt, implement, and maintain adequate security measures to safeguard subscriber data and failed to audit, monitor, or ensure the integrity of its vendor Telus’s data security practices. | high |
| 06 | Crunchyroll failed to meet minimum standards required by the NIST Cybersecurity Framework Version 1.1 and the Center for Internet Security’s Critical Security Controls, both established industry standards. | high |
| 07 | Despite the breach occurring on March 12, 2026, Crunchyroll did not release any public statement acknowledging it was investigating the matter until March 23, 2026, a full 11 days later. | high |
Regulatory Failures
How oversight broke down — 5 points
| 01 | Crunchyroll violated Section 5 of the Federal Trade Commission Act by failing to use reasonable measures to protect personal information, constituting an unfair practice in commerce. | high |
| 02 | Crunchyroll violated California Civil Code Section 1798.81.5, which requires businesses to implement and maintain reasonable security procedures for California residents’ personal information. | high |
| 03 | Crunchyroll violated California’s Unfair Competition Law by engaging in unlawful, unfair, and deceptive business practices related to data security and consumer privacy. | high |
| 04 | The FTC’s own guidelines, updated in 2016, require businesses to verify that third-party service providers have implemented reasonable security measures. Crunchyroll failed to enforce this with Telus. | med |
| 05 | California law requires companies contracting with nonaffiliated third parties to mandate by contract that those parties maintain reasonable security. Crunchyroll failed to enforce or verify this obligation with Telus. | high |
Corporate Accountability Failures
How Crunchyroll responded — 5 points
| 01 | When Crunchyroll finally issued a statement about the breach, it deliberately underplayed the severity and obscured the nature of what happened, according to the lawsuit. | high |
| 02 | Crunchyroll failed to explain which security weakness was exploited, what exact data was compromised for each affected individual, who perpetrated the breach, or the full extent of the compromise. | high |
| 03 | Crunchyroll failed to provide timely notification to subscribers, depriving them of the earliest opportunity to take protective action against identity theft and fraud. | high |
| 04 | Crunchyroll retained subscribers’ personal information, including former subscribers’ data, without implementing security protections proportionate to the sensitivity of that data. | med |
| 05 | Crunchyroll failed to remove the personal information of former subscribers once the business relationship ended, keeping unnecessary data exposed to breach risk. | med |
Economic Fallout
Financial harm to subscribers — 5 points
| 01 | The average cost per consumer of a data breach was $150 per record as of 2019 estimates, and identity theft costs victims a median of $375 out of pocket, with millions of Crunchyroll users now at elevated risk. | high |
| 02 | Subscribers paid for a service that included an implicit promise of data security. Because that security was inadequate, they received a service of lesser value than what they paid for, constituting a loss of benefit of the bargain. | high |
| 03 | Stolen personal information is actively sold on the dark web, where criminals monetize the data by facilitating identity theft, account takeover, and fraud affecting the real financial lives of victims. | high |
| 04 | Victims must spend significant time and money correcting fraudulent information in credit reports, closing compromised accounts, opening new ones, and disputing charges with creditors, costs entirely caused by Crunchyroll’s negligence. | med |
| 05 | Stolen data may sit dormant for a year or more before criminals use it, meaning subscribers face ongoing financial risk for years without any compensation or meaningful remediation from Crunchyroll. | high |
Personal Safety Risks
Ongoing harm to affected users — 4 points
| 01 | With access to subscribers’ personal information, criminals can obtain fraudulent identification, secure employment, rent property, receive medical services, or even generate arrest warrants in a victim’s name. | high |
| 02 | Subscribers now face anxiety, emotional distress, and loss of privacy as their personal information circulates among criminals, with no certainty about how it will be used or when. | high |
| 03 | IP address and location data included in the breach could enable criminals to physically locate and target specific individuals, posing direct personal safety risks beyond financial harm. | high |
| 04 | Partial payment card information included in leaked support tickets, even without full card numbers, provides criminals with useful data points to facilitate fraud through social engineering attacks on banks and financial institutions. | med |
Profit Over People
Cost-cutting at subscribers’ expense — 4 points
| 01 | Crunchyroll outsourced customer support to Telus, a business process outsourcing company, specifically to reduce operating costs. This cost-cutting decision directly created the security vulnerability that enabled the breach. | high |
| 02 | Business process outsourcing providers are well-known targets for hackers because they handle sensitive client data without the same security infrastructure as the companies they serve. Crunchyroll accepted this risk and passed the consequences to subscribers. | high |
| 03 | Crunchyroll derived substantial economic benefit from subscribers’ personal information, using it to operate and grow its business, while investing inadequately in the security measures needed to protect that information. | med |
| 04 | Subscribers paid monthly subscription fees with a reasonable expectation that part of those earnings would fund adequate data security. Crunchyroll accepted that money while failing to meet that basic obligation. | med |
Timeline of Events
March 12, 2026
Hacker contacts BleepingComputer, claiming the breach was executed at 9:00 PM ET. Malware is deployed on a Telus employee workstation, granting access to Crunchyroll’s customer support environment.
March 12-13, 2026
Hacker maintains undetected access for approximately 24 hours, downloading 8 million support ticket records from Crunchyroll’s Zendesk system.
March 22, 2026
International Cyber Digest posts on X revealing the breach. SOCRadar notes a criminal forum posting titled “Crunchyroll email and IP” with obscured data samples consistent with the breach claims. Breach is made public.
March 23, 2026
Crunchyroll releases a statement acknowledging it is investigating the matter, 11 days after the breach and one day after public disclosure. Hackers claim the stolen dataset totals approximately 100GB containing 6.8 million unique email addresses.
March 24, 2026
Bursor and Fisher, P.A. files a class action lawsuit in the U.S. District Court for the Northern District of California on behalf of plaintiff Max Agress and all similarly situated Crunchyroll subscribers nationwide.
Direct Quotes from the Legal Record
QUOTE 1
The mechanism of the breach
Core Allegations
“An employee of their outsourcing partner Telus had executed malware on his system, which gave a threat actor access to Crunchyroll’s environment.”
💡 This confirms the breach entered through a third-party vendor Crunchyroll chose and was responsible for overseeing.
QUOTE 2
Scope of data compromised
Core Allegations
“Screenshots shared with reporters and researchers allegedly show full names, usernames, email addresses, IP addresses, approximate location data, and the text of user support exchanges.”
💡 The breach captured not just account credentials but the full content of private support conversations between users and the company.
QUOTE 3
Crunchyroll’s own privacy promise
Corporate Accountability Failures
“[Crunchyroll] takes reasonable measures to protect Personal Information we collect from loss, theft, misuse and unauthorized access, disclosure, alteration, and destruction.”
💡 This is Crunchyroll’s own published privacy policy. The breach demonstrates this promise was not kept in practice.
QUOTE 4
How Crunchyroll handled disclosure
Corporate Accountability Failures
“When Defendant released a statement relating to the Data Breach, it deliberately underplayed the Breach’s severity and obfuscated the nature of the Breach.”
💡 The lawsuit alleges Crunchyroll’s public response was designed to minimize perceived responsibility, not to inform or protect users.
QUOTE 5
Why outsourced vendors are dangerous
Profit Over People
“Business process outsourcing providers are often targets for hackers because they handle and store large amounts of sensitive client information and may not have the same level of security as the companies they work for.”
💡 Crunchyroll accepted this known, documented risk and passed the consequences on to its subscribers.
QUOTE 6
How long stolen data remains dangerous
Economic Fallout
“[S]tolen data may be held for up to a year or more before being used to commit identity theft,” and “fraudulent use of [stolen information] may continue for years.”
💡 Victims of the Crunchyroll breach face years of ongoing risk, not a temporary inconvenience.
QUOTE 7
Crunchyroll’s willful disregard
Corporate Accountability Failures
“Defendant’s use of business process outsourcing providers which are frequently targeted by hackers, and its failure to maintain adequate security measures and an up-to-date technology security strategy, demonstrates a willful and conscious disregard for privacy.”
💡 The lawsuit characterizes Crunchyroll’s failures not as mistakes but as a deliberate pattern of prioritizing cost over user safety.
💬 Commentary
❓
How serious is this breach really?
▾
This breach is extremely serious. Approximately 6.8 million unique email addresses were stolen, along with IP addresses, usernames, location data, and the private text of customer support conversations. That last category is particularly alarming. Support tickets often contain sensitive context, including partial payment details, account history, and personal circumstances that users shared expecting privacy. An estimated 100GB of data was taken in total. This is not a minor incident involving hashed passwords that might never be cracked. This is a comprehensive dump of real, usable, identifying information about millions of people who did nothing wrong except pay for anime.
❓
Why is Crunchyroll being sued if the hacker was at a third-party vendor?
▾
Because Crunchyroll chose to use Telus as a vendor, chose to give Telus access to millions of subscribers’ data, and was legally and contractually responsible for ensuring Telus maintained adequate security. California law specifically requires companies to mandate by contract that their third-party vendors protect consumer data. Federal law requires companies to verify that service providers have reasonable security measures in place. Crunchyroll failed both. Outsourcing a function does not outsource accountability. When a company profits from your data and then hands that data to a cheaper vendor without verifying the vendor can protect it, the company bears responsibility for what happens next.
❓
What could Crunchyroll have done to prevent this?
▾
The lawsuit lists specific, well-established practices Crunchyroll failed to implement. These include malware detection software on vendor systems, multi-factor authentication, network monitoring for large data transfers, intrusion detection systems, and contractual security requirements for Telus. The hacker was inside Crunchyroll’s systems for 24 hours and downloaded 8 million records. A basic data loss prevention system, which flags unusually large transfers and triggers alerts, could have caught this in minutes. These are not exotic, expensive, cutting-edge tools. They are industry-standard requirements. Crunchyroll chose not to implement them rigorously, and millions of users are now paying the price.
❓
Why did it take Crunchyroll so long to say anything?
▾
The breach happened March 12. The public found out March 22, when independent cybersecurity researchers and journalists broke the story. Crunchyroll issued a statement acknowledging it was investigating on March 23, only after the story was already spreading. The company did not get ahead of this. It did not prioritize notifying the 6.8 million people whose data was stolen. It waited until it had no choice but to respond. This delay is not just a PR failure. It is a legal failure. California law and FTC guidelines both require timely notification of data breaches so that affected individuals can take protective action. Every day Crunchyroll stayed silent was another day its subscribers could not freeze their credit, change their passwords, or contact their banks.
❓
What are the real-world consequences for affected users?
▾
The consequences are real and lasting. Stolen email addresses enable phishing attacks. Stolen IP addresses and location data enable criminals to identify and potentially target individuals. The text of support ticket conversations could expose personal circumstances that users shared in confidence. Partial payment details make social engineering attacks against banks easier. Combined, these data points allow sophisticated criminals to build a detailed profile of a victim. The GAO found that stolen data is sometimes held for more than a year before being weaponized, meaning the risk does not pass quickly. Many subscribers will spend hours monitoring their credit, changing passwords, and worrying about what criminals might do with their information. That time and stress has real value, and Crunchyroll caused all of it.
❓
Does this connect to broader patterns of corporate misconduct?
▾
Absolutely. This breach is not an anomaly. It reflects a systematic pattern in which corporations collect and monetize consumers’ personal data, treat security as a cost center to be minimized rather than a core obligation, and outsource risk to cheaper third-party vendors while retaining the profits. The FTC and courts have pursued enforcement actions against multiple companies for exactly this behavior. Data breaches increased from 783 in 2014 to 3,800 in 2019. The harm to individuals is well documented. Companies like Crunchyroll are aware of these risks, aware of the legal standards, and still choose to underinvest in security. That is not negligence in the colloquial sense. The lawsuit calls it willful and conscious disregard for privacy, and that characterization is well supported by the facts.
❓
What can I do to prevent this from happening again?
▾
Several things actually matter here. First, immediately change your Crunchyroll password and any other accounts where you used the same email and password combination. Place a free credit freeze with all three major credit bureaus (Equifax, Experian, TransUnion), which costs nothing and prevents new credit lines from being opened in your name. Enable multi-factor authentication on your email account and any financial accounts. Sign up for free breach monitoring through services like Have I Been Pwned. Beyond personal steps: support the class action lawsuit by following its progress, contact your federal and state representatives to demand stronger data protection laws with real penalties, and consider whether you want to continue giving your data to companies that have demonstrated they will not protect it. Corporate accountability only improves when there are genuine financial consequences for failure.
💡 Explore Corporate Misconduct by Category
Corporations harm people every day — from wage theft to pollution. Learn more by exploring key areas of injustice.
- 💀 Product Safety Violations — When companies risk lives for profit.
- 🌿 Environmental Violations — Pollution, ecological collapse, and unchecked greed.
- 💼 Labor Exploitation — Wage theft, worker abuse, and unsafe conditions.
- 🛡️ Data Breaches & Privacy Abuses — Misuse and mishandling of personal information.
- 💵 Financial Fraud & Corruption — Lies, scams, and executive impunity.
