Crunchyroll's data breach is 'limited to customer service ticket data,' representatives say

1 hour ago 3

Published Mar 24, 2026, 5:14 AM EDT

The anime streaming platform says that the information hacked is limited

Illustration: James Bareham/Polygon

On March 23, reports emerged online about a significant data breach affecting Crunchyroll, the leading anime streaming platform. The information was first shared by International Cyber Digest on X and by BleepingComputer. The latter was allegedly contacted by the hacker responsible for the breach, who claimed to have breached Crunchyroll on March 12 through malware infecting the computer of an employee of an outsourcing company who has access to Crunchyroll support tickets. The threat actors claimed to have used malware to infect the agent's computer and gain access to their credentials. The hacker claims they downloaded eight million support ticket records, which included almost seven million unique email addresses.

Polygon reached out to Crunchyroll representatives on March 23. A spokesperson shared the following statement: "We are aware of recent claims and are currently working closely with leading cybersecurity experts to investigate the matter."

On March 24, Crunchyroll shared a further statement and update on the incident:

"Our investigation is ongoing, and we continue to work with leading cybersecurity experts. At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor. We have not identified evidence of ongoing access to systems in relation to these claims. We are continuing to monitor the situation closely."

While the first part of the statement confirms the claims made by the hacker, Crunchyroll's reassurance that there was no ongoing access to systems should comfort its users a bit. This also confirms BleepingComputer's assessment that the support tickets shown by the hacker only contain general information like users' name, login name, email address, IP address, general geographic location, and the contents of the support tickets. Moreover, "while other reports on the incident claim that credit card information was exposed, BleepingComputer has confirmed that credit card details were exposed only when the customer shared them in the support ticket. For the most part, this included only basic information, such as the last four digits or expiration dates, and only a few contained full card numbers, according to the threat actor."

Read Entire Article