A major cybersecurity breach recently struck anime streaming giant Crunchyroll after attackers infiltrated the company through a compromised third-party vendor which exposed sensitive user information of millions of subscribers.
The intrusion originated from Telus Digital, an external service provider connected to Crunchyroll’s systems. Hackers used malware to gain access to the authentication infrastructure linked to Okta, allowing them temporary entry into internal tools for nearly 24 hours.
Although the company said account passwords were not stolen, investigators confirmed that attackers accessed a wide range of personal and operational data. The compromised information includes email addresses, usernames, real names, IP addresses, approximate user locations and complete customer support tickets containing billing discussions, complaint histories and account activity details.
Cybersecurity experts warn that such contextual information can be more dangerous than password leaks because it allows criminals to impersonate legitimate support staff or reference real user issues when sending fraudulent emails or messages.
The breach timeline indicates unauthorized access began on March 12. By March 23, hackers claimed possession of a database containing roughly 6.8 million email records, with portions of the data later appearing for sale on underground forums. On April 4, about 1.2 million exposed email addresses were independently verified through Have I Been Pwned, confirming the scale of the incident.
Crunchyroll has maintained that login credentials remain secure, but the incident represents a growing trend of supply-chain attacks, where attackers target external vendors instead of directly breaching a company’s firewall.
Users have been advised to change passwords, particularly if reused across multiple platforms, enable two-factor authentication using an authenticator app and remain cautious of emails or SMS messages referencing account issues or billing problems.