Crunchyroll Investigates Alleged Cyberattack and Data Breach via Telus

Anime streaming giant Crunchyroll is actively investigating claims of a major cyberattack that may have exposed sensitive customer data. The alleged data breach, which reportedly stems from a malware infection at third-party service provider Telus, has sparked widespread concern across social media regarding the safety of user billing information, email addresses, and IP addresses.

Following the rapid spread of these rumors, a Crunchyroll spokesperson confirmed to CNET that the company is aware of the claims and is currently collaborating with leading cybersecurity experts to investigate the situation. According to a report from Cyber Security News, the infiltration allegedly occurred in mid-March. The bad actor claims to have compromised the systems of Telus, a company that provides digital operational support services to Crunchyroll and several other large enterprises.

Although Crunchyroll has not yet officially confirmed the data breach, security experts strongly advise users to take immediate preventative measures. Given the potential exposure of billing and contact details, subscribers should not wait for the conclusion of the investigation to secure their digital footprint.

• Reset passwords for associated email accounts immediately.
• Enable two-factor authentication (2FA) or passkeys if supported by the provider.
• Update the Crunchyroll subscription password, ensuring it is entirely unique to the platform to prevent unauthorized access.
• Monitor banking statements and email accounts regularly for any suspicious activity that may occur down the road.

The alleged Crunchyroll cyberattack highlights a growing vulnerability in the digital entertainment sector: third-party supply chain risks. By allegedly targeting Telus - a digital operational support provider - threat actors can potentially bypass a primary company's internal security measures to access lucrative subscriber data. This incident underscores why streaming platforms must enforce rigorous zero-trust architectures, even with trusted operational partners.

For consumers, this situation serves as a critical reminder that waiting for official breach confirmation is often a risky strategy. Because the bad actor claims to have accessed billing information and IP addresses since mid-March, the window for preventative action is already closing. Adopting unique passwords and enabling passkeys across all streaming services is no longer optional; it is a mandatory baseline for digital survival in an era where third-party vendor breaches are increasingly common.