After a breach involving its outsourcing partner, Telus, a threat actor is said to have stolen about 100 GB of private user data from Crunchyroll, the anime streaming service owned by Sony. Crunchyroll has not yet confirmed the incident, which is said to have happened on March 12, 2026. This has raised concerns among cybersecurity experts.

Cyber Digest has learned that the breach started with an employee workstation that had been hacked at Telus, a business process outsourcing (BPO) company that helps Crunchyroll with its customer operations. It is said that the employee ran malware, which gave the attacker access to the company's network. The threat actor is said to have moved laterally from this foothold, eventually getting into internal systems, such as customer support and ticketing systems.

This way of breaking in is part of a larger and more common attack vector that targets third-party service providers. Notably, the incident fits with claims about a larger Telus Digital breach that was made public on the same day. Attackers said they were able to access multiple organizations that used Telus for customer support, AI data processing, and content moderation services.

BPO providers are high-value targets because they often have privileged access to authentication workflows and billing systems. This means that they can make big changes to the supply chain. Cyber Digest says it looked at a sample of the stolen data, which includes a lot of personally identifiable information (PII). The leaked dataset is said to include IP addresses, email addresses, credit card information, and customer analytics data that is linked to how users act.

If this data is correct, it greatly raises the risk of identity theft, financial fraud, and very targeted phishing campaigns against Crunchyroll users. The person behind the threat says that they took the whole 100 GB dataset from Crunchyroll's customer analytics environment and ticketing systems in a short amount of time. Crunchyroll reportedly found out about the access to the environment and took it away within about 24 hours.

Even though the dwell time was short, the size of the exfiltration suggests that the operation was well-planned. It probably used automated data collection and quick staging methods to steal as much data as possible before containment. Another thing that worries people is that Crunchyroll is said to have not communicated with anyone after the incident.

The threat actor says that the company has ignored attempts to get in touch with them and has not formally told users who may be affected. This lack of communication could draw the attention of regulators, especially in places where there are strict rules about reporting data breaches. The timing of the event makes things even more complicated.

Earlier this year, Crunchyroll was sued in a class-action lawsuit for allegedly sharing user viewing data with third-party marketing platforms without getting permission first. A new breach that puts sensitive user data at risk could make the company's legal and reputational problems even worse. Crunchyroll has not yet replied to requests for comment. Experts in security say that users should stay alert, keep an eye on their bank accounts, and be careful of phishing scams that use Crunchyroll-related themes.

As more information comes out about this event and its wider effects on third-party risk management in cloud-based service ecosystems, ZeroOwl will keep an eye on things. In Google, make ZeroOwl your preferred source.