Crunchyroll probes alleged data breach

Crunchyroll, an anime streaming service owned by Sony, is investigating a data breach where a hacker allegedly accessed millions of user records via third-party support systems. The incident highlights the increasing vulnerability of third-party vendors and the broader concerns about data governance in cloud-based services.

• Hacker claims to have accessed millions of user records via third-party support systems
• Crunchyroll says investigation is ongoing and impact appears limited

What happened

Reuters report citing BleepingComputer said that Crunchyroll, the anime streaming service owned by Sony, is investigating claims that a hacker stole user data following a breach linked to its systems.

According to BleepingComputer, a threat actor alleged they accessed Crunchyroll’s internal support tools and extracted user information, including data contained in customer service tickets. The attacker reportedly contacted the cybersecurity news outlet directly with evidence of the breach.

Crunchyroll confirmed it is probing the incident, stating that it is working with cybersecurity experts. The company indicated that, based on its current understanding, the exposed data is “primarily limited” to customer support ticket information rather than core account systems.

The company also said it has found no evidence of ongoing unauthorised access. The breach appears to be tied to a third-party vendor used for customer support operations, highlighting a potential supply-chain vulnerability.

The claims stem from an incident said to have occurred in March 2026, although the full scale and verification of the breach remain under investigation.

Also read：Sony’s Astro Bot DualSense controller goes up for pre-order

Also read：SK Telecom cyberattack exposes millions to SIM cloning risks

Why it’s important

The incident underscores a growing pattern in cybersecurity: attackers increasingly targeting third-party vendors rather than core infrastructure. According to BleepingComputer, such support platforms can contain sensitive user data despite being peripheral systems.

For cloud-based services like Crunchyroll, which rely heavily on outsourced operations and distributed infrastructure, this raises broader concerns about data governance and vendor access controls.

From a financial perspective, even limited breaches can carry reputational risks and potential regulatory scrutiny, particularly in regions with strict data protection regimes.

The case also reflects a wider industry trend. Recent breaches across sectors — including telecoms and fintech — have similarly originated from indirect access points rather than primary systems, reinforcing the idea that the “weakest link” often lies outside the organisation.

Crunchyroll’s response will likely be watched closely as companies reassess how third-party integrations are secured in modern cloud and networking environments.