Crunchyroll data breach: what happened and what risks are there for users

The popular platform anime streaming CrunchyrollSony-owned company is at the center of controversy after a alleged cyberattack that would have exposed sensitive customer informationVarious media outlets and cybersecurity analysts point to a massive data leak If confirmed, this would affect users in virtually every country where the service operates, including Spain and the rest of Europe.

What is known so far comes from research from specialized newsletters such as International Cyber ​​Digest, Cyber ​​Digest, Hackmanac, and Thecybersecguru, as well as messages from the threat actor himself on social media and forums. They all point to the same scenario: Someone has reportedly managed to obtain approximately 100 GB of information linked to Crunchyroll accounts., with contact information, technical details and references to payment methods.

A supply chain attack: the weak link, an external supplier

The evidence suggests that the attackers did not enter directly through Crunchyroll's main servers, but rather through a external service provider, Telus Digital, a Vancouver-based outsourcing company with a strong operational presence in India. This type of incident is known as a "supply chain attack": instead of hitting the primary target, a partner with privileged access is compromised.

According to published reports, the incident allegedly took place on March 12when a Telus employee inadvertently ran malicious software on their computer. Some versions detail that the starting point was a campaign of phishing that installed infostealer-type malwarecapable of stealing credentials and other sensitive information from the compromised workstation.

With that software now operational, the attacker was able to obtain Okta login credentialsThe identity management platform used in the corporate environment. These keys would have opened the door to internal systems related to customer service and the administration panels that support Crunchyroll, allowing intruders to move laterally through the network and reach the tools where user data is stored and processed.

What volume of data was leaked and what type of information does it include?

The figure that is repeated in all sources is the same: the threat actor claims to have extracted from the systems some 100 GB of confidential data related to Crunchyroll accounts. Cyber ​​Digest and other publications say they reviewed a sample of the files, which would have allowed them to confirm the presence of various types of personal and technical information linked to subscribers.

That material would include, among other things, email addresses and IP addresses associated with user connections, as well as information about behavior within the platform: account histories, subscription details, plan levels, and usage analytics. For many clients, this combination allows for the creation of a fairly detailed profile of their users. anime and manga consumption habits.

One of the most sensitive aspects is the reference to credit card detailsHere, the accounts differ slightly: some sources speak of "credit card information" in general terms, while others specify that access would have been limited to partial details present in incident logs and captures of receipts, without directly compromising the encrypted database where the complete numbers are stored.

That distinction is relevant: if the attackers have only obtained fragments of numbering or data visible in support ticketsThe risk of direct card use would be lower, though not nonexistent. In any case, experts remind us that this information, combined with other personal data, can facilitate fraud attempts, impersonated verifications with financial institutions, or targeted phishing campaigns.

Geographic impact: beyond the United States

Initially, some messages from the threat actor himself seemed to point primarily to users from the United StatesHowever, further analysis of the sample files revealed a much broader scope. Accounts originating from countries such as Mexico, Brazil, and India were identified in the reviewed packages, and it is assumed that the leak could have affected a wider area. This will also affect European customers, including in Spain., given the global nature of Crunchyroll's subscriber base.

The problem is compounded because, as various analysts explain, the information comes from support tools and analytical systems centralized systems that manage users from multiple regions. Therefore, it wouldn't be a database segmented by country, but rather a dataset where profiles from different markets are mixed, making it difficult to quickly determine who is affected by each block of stolen information.

A 24-hour window to act that did not prevent the mass theft

Those responsible for the attack claim that They were able to move freely for about 24 hours through internal networks before their remote access was cut off. At that point, the security team would have detected the anomalous activity, revoked the compromised credentials, and disconnected the affected systems from the corporate network to contain the intrusion.

Although one day may seem like a short time, the sources consulted emphasize that The exfiltration was very well preparedEverything indicates that the attackers had automated the collection of information to take full advantage of that margin, guiding the malware towards repositories and platforms where user information is concentrated, such as customer service ticketing tools and behavioral analysis dashboards.

This type of operation, highly automated, allows in a few hours copy large volumes of structured dataThe data is organized by tables, categories, or user identifiers, which facilitates subsequent fraudulent use or sale on underground forums. This explains why, despite the relatively quick response, the volume stolen is so high.

Possible connection to previous leaks from Telus and the shadow of ShinyHunters

Some reports link this incident to a larger data leak that would have affected Telus Digital around the same time. In that context, the Canadian provider appeared as a common thread in several attacks targeting companies that outsource customer service, AI processing, and content moderation to it.

Meanwhile, several cybersecurity sources attribute the attack to the group ShinyHuntersA cybercriminal organization active since 2020 and known for high-impact data breaches against technology companies, airlines, and luxury groups. On dark web forums, the group reportedly boasted not only about Crunchyroll's data, but also about... a much larger volume of internal Telus information, including call center recordings and records from other corporate clients.

This possible connection between incidents reinforces the idea that Telus's environment has been under pressure for some time.This is something that various sources had already suggested in previous months. For platforms like Crunchyroll, which delegate some of their user contact to third parties, the situation presents a complex scenario in terms of responsibility and regulatory compliance, especially in territories with strict data protection regulations such as the European Union.

Official silence from Crunchyroll and legal doubts in different countries

One of the most striking elements is that, despite the noise generated, Crunchyroll has not yet issued an official statement. to confirm, clarify, or deny the leaked details. According to the threat actor's own account, the company ignored his attempts at contact, during which he even considered a form of financial blackmail in exchange for the information.

Meanwhile, technology and cybersecurity media outlets indicate that, if the leak is confirmed as described, Legal deadlines may have been missed. of notification to users and authorities in different countries. In the EU, for example, the General Data Protection Regulation (GDPR) establishes clear obligations for rapid communication in the event of incidents affecting personal information, something that is also contemplated by national regulations such as the Spanish one.

Some analysts also point out that This wouldn't be Crunchyroll's first problem with data handling.At the beginning of the year, the company was embroiled in a class-action lawsuit for allegedly sharing viewing habits with third-party marketing platforms without proper consent. The current allegations of a potential massive leak of customer information further damage the brand's reputation at a critical time.

Risks to users: from phishing aimed at financial fraud

The experts consulted agree that, even if complete unencrypted card numbers have not been exposed, the combination of emails, names, IP addresses, and activity histories This opens the door to various types of attacks against affected users. The most predictable is the proliferation of fraudulent emails that mimic official communications from the platform.

With real account data in hand (age, subscription type, country, even previous incidents), attackers can design highly customized phishing campaigns These are more believable: notices of supposed changes in the fee, payment problems, requests for data verification, or messages about the security incident itself. All of this is designed to trick the victim into clicking on malicious links or providing their login credentials.

Furthermore, the potential exposure of partial credit card detailsCombined with other personal data, this increases the risk of financial fraud attempts, whether through unauthorized purchasesImpersonation of customer service representatives or attempts to complete missing data with information obtained from previous breaches.

Added to this are the less visible but equally relevant effects: the creation of behavioral profiles for medium-term social engineering campaignsUse of data in attacks against other platforms where users can reuse emails and passwords, or resale of information to other criminal groups specializing in different types of fraud.

What can Crunchyroll users do to protect themselves?

In the absence of an official guide from the platform itself, security experts recommend following a series of basic digital self-protection measures which, although they do not erase the incident, do help to reduce the potential impact on each user.

The first is to act on the credentials: Change your Crunchyroll password immediately and avoid using the same password for other services. If the password is used for email, social media, online banking, or other subscriptions, it's advisable to update those logins as well, since attackers often try multiple combinations across different platforms.

In parallel, specialists recommend enable two-step authentication (2FA) whenever possible. This system adds a second barrier, usually a temporary code sent to the mobile phone or generated in an app, which makes it much more difficult for a third party to access the account even if they have obtained the password.

Regarding the financial aspect, both in Spain and in the rest of Europe it is advisable closely monitor bank account transactions associated with the card used to pay for Crunchyroll. In the weeks following the incident, it's advisable to check your statements more frequently than usual and, if you notice any suspicious charges, contact your bank immediately to block the card and file a claim.

Another key point is email management. Since the attack would have exposed addresses and account data, it's likely that they will start circulating. messages that appear to be from Crunchyroll or from related financial institutions. If you receive an email requesting personal information or asking you to click on a link to "verify" your account, the safest course of action is to ignore it and go directly to the platform or bank by typing the address into your browser.

Finally, users who want to be especially cautious can temporarily remove your credit card from the platformreplacing it with alternative methods if available, or delete account, or pausing automatic renewal until there is more clarity on the actual extent of the leak and the measures the company will take.

One more warning about the fragility of data in the digital economy

This alleged attack on Crunchyroll adds to a long list of recent incidents affecting massive digital servicesFrom e-commerce to social media, scams impersonating major brands via email, SMS, phone calls, or fake websites are becoming increasingly common in Spain and throughout Europe, often relying on real data obtained from previous leaks.

For businesses, the lesson is clear: It is not enough to simply strengthen our own systems If the external links in the chain—support providers, call centers, AI or moderation companies—don't have equivalent levels of security. And for users, the incident is a reminder that the best defense is maintaining good digital security habits, being alert to suspicious activity, and being at least somewhat wary of any message requesting sensitive data.

While it is being clarified exactly what has happened, how much has been stolen and how many accounts are affected, the combination of Exercise caution, change your passwords, check your cards, and be skeptical of suspicious emails. It is presented as the most sensible way to deal with a few hours in which official information is still conspicuous by its absence and the focus is on both Crunchyroll's systems and the role played by its external partners.