Popular anime streaming platform Crunchyroll has been targeted by a significant class-action lawsuit filed in a California federal court, following a substantial data breach that compromised the personal information of millions of subscribers. The legal action alleges that the Sony-owned company failed to adequately protect the data of 6.8 million users, which was leaked online after a cyberattack in March 2026.
Details of the Data Breach
The lawsuit, initiated by plaintiff Max Agress on March 24, claims that Crunchyroll violated both state and federal consumer protection laws by not implementing sufficient security measures to safeguard customer data. Sensitive information, including email addresses and, in a limited number of instances, credit card numbers, was exposed when hackers targeted a third-party vendor associated with the streaming service.
How the Breach Occurred
Investigators believe the breach originated at a supplier, where cybercriminals deployed malicious software to gain access to private data linked to Crunchyroll's systems. Specifically, the attack focused on the company's ticketing system used for managing customer support requests, indicating a deep penetration into internal networks. The breach involved a support account connected to an employee reportedly based in India, working through Telus, a company providing operational support to Crunchyroll.
According to reports from tech site BleepingComputer, the attackers claimed to have downloaded approximately eight million support ticket records, encompassing 6.8 million email addresses along with login names, IP addresses, and customer support messages. In rare cases, credit card details were also exposed when users included card numbers directly in support tickets. The hackers maintained access for about 24 hours, during which they extracted millions of customer communications.
Legal Allegations and Risks
The lawsuit asserts that the stolen information could be exploited for identity fraud, financial theft, or even impersonation of victims when applying for jobs or official documents. It states that with access to personal identifiable information (PII), criminals could commit various fraudulent activities, such as obtaining driver's licenses, securing employment, or receiving medical services in the victim's name.
The complaint further alleges that Crunchyroll neglected standard cybersecurity practices, including proper employee education, strong password enforcement, multi-layered protections like firewalls and anti-malware software, data encryption, multi-factor authentication, data backups, and restricted access to sensitive information. The company is also accused of failing to monitor system security effectively and not providing timely notifications to affected users.
Industry Warnings and Responses
Dray Agha, senior manager of security operations at Huntress, commented to DailyMail.com, highlighting the risks of collecting extensive user data. He noted, "Crunchyroll is learning the hard way that collecting vast amounts of user habits and personal information is a double-edged sword. It doesn't just invite privacy lawsuits when shared behind the scenes, it also creates a massive and irresistible treasure trove for hackers." Agha added that this incident serves as a warning to the streaming industry to minimize data retention and limit access to sensitive records.
In a statement, Crunchyroll acknowledged the ongoing investigation, stating, "Our investigation is ongoing, and we continue to work with leading cybersecurity experts. At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor. We have not identified evidence of ongoing access to systems in relation to these claims, and we are continuing to monitor the situation closely." DailyMail.com has reached out to Crunchyroll for additional comments.
Background on Crunchyroll
Crunchyroll is a major global streaming service dedicated to anime, offering over 1,300 titles and more than 200 East Asian dramas, often featuring simulcasts shortly after Japanese broadcast. The company also hosts an annual Anime Awards to recognize the best anime of the previous year, first presented in January 2017 after being announced in December 2016.
The breach, which occurred on March 12, 2026, and was publicly disclosed on March 22, has prompted Max Agress to seek representation for individuals across the United States affected by the data exposure. Security website Have I Been Pwned now allows users to check if their email address or personal information was compromised in this incident, underscoring the widespread impact of one of the largest breaches to affect an entertainment streaming platform this year.
