Crunchyroll Breach Exposes 1.2M User Records
In March 2026, the anime streaming service Crunchyroll suffered a data breach alleged to have impacted 6.8M users . The exposed data is reported to have originated from the company's Zendesk support system where "name, login name, email address, IP address, general geographic location and the conten...
Overview
In March 2026, anime streaming platform Crunchyroll became the target of a data breach affecting over 1.19 million user accounts. The incident was reported to Have I Been Pwned (HIBP) after a threat actor claimed to have obtained data from 6.8 million users, though verified records currently show just under 1.2 million impacted. The stolen information originated from Crunchyroll’s Zendesk customer support system, a common point of compromise for service desk platforms. While no passwords or payment data were taken, the combination of exposed personal details poses significant risks for account takeovers and targeted phishing campaigns.
What Was Exposed
The breached data includes email addresses, full names, IP addresses, geographic locations (general city/region), and content of customer support tickets. Notably, password hashes, payment card numbers, and billing addresses were not among the stolen records. However, the inclusion of IP addresses and geographic data can be used to build detailed user profiles, while support ticket content may reveal sensitive preferences, account history, or even technical issues users have reported.
How the Breach Happened
The attacker gained access to Crunchyroll’s Zendesk instance - a cloud-based customer service platform widely used across industries. Support tickets often contain a treasure trove of personally identifiable information (PII) because users routinely submit their full names, email addresses, and account details when requesting help. The breach suggests that Crunchyroll did not adequately restrict access to its Zendesk environment or failed to implement multi-factor authentication (MFA) for support agents. This is a recurring weakness in third-party service desk security, as seen in breaches at other streaming and gaming platforms.
Account Takeover Risks
While passwords were not exposed in this breach, email addresses and full names are the building blocks of credential-stuffing attacks. If you reuse the same password across multiple services - for instance, if your Crunchyroll password is the same as your bank or email login - attackers can attempt to log into those accounts using your exposed email. The IP addresses and location data also help attackers craft convincing phishing emails, such as “We noticed unusual activity on your account from [your city], reset your password here.”
How to Check If You’re Affected
Affected users can verify their status by searching their email address on Have I Been Pwned. The breach is listed under “Crunchyroll” on HIBP with a verified record count of 1,195,684. If your email appears, your name, email, IP address, and geographic location were likely exposed. There is no evidence that passwords or financial data were stolen, but the risk of targeted phishing and credential-stuffing remains high.
What to Do Right Now
First, change your Crunchyroll password immediately - use a unique, strong password you have not used elsewhere. Enable two-factor authentication (2FA) on your Crunchyroll account if it is supported. Second, if you use the same email and password combination on other accounts (especially email, banking, or social media), change those passwords immediately. Third, be wary of unsolicited emails claiming to be from Crunchyroll - do not click links or download attachments unless you independently verify the sender by logging directly into your account at crunchyroll.com. Finally, monitor your email for suspicious activity, such as password reset requests you did not initiate.
Security Insight
This breach exposes a fundamental weakness in how companies manage third-party support platforms. Crunchyroll’s reliance on Zendesk without proper access controls allowed an attacker to siphon years of support ticket data. The same dynamic has played out at other companies like Uber and DoorDash, whose support systems were similarly compromised. For users, this incident underscores that even services with strong password policies can leak enough data to fuel identity theft. The true impact will not be measured by the number of exposed records, but by how many users fall for the phishing emails that follow.
Further Reading
Investigate Breaches Safely with NordVPN
Researching exposed data, paste sites, or threat actor infrastructure? Route your OSINT traffic through a VPN to avoid attribution and keep your investigation IP separate from your corporate network.
Get NordVPN for ResearchAffiliate link — we may earn a commission at no extra cost to you.
Never miss a data breach report
Get real-time security alerts delivered to your preferred platform.
Related Breach Reports
In February 2026, the online gaming community Toy Battles suffered a data breach. The incident exposed 1k unique email addresses alongside usernames, IP addresses and chat logs. Following the breach, Toy Battles self-submitted the data to Have I Been Pwned.
In December 2025, 2.3M records of WIRED magazine users allegedly obtained from parent company Condé Nast were published online . The most recent data dated back to the previous September and exposed email addresses and display names, as well as, for a small number of users, their name, phone number,...
In March 2026, the personal development and achievement media brand SUCCESS suffered a data breach . The incident exposed 250k unique email addresses along with names, IP addresses, phone numbers and, for a limited number of staff members, bcrypt password hashes. The data also included orders contai...
In June 2015, custom gaming controller maker Scuf Gaming suffered a data breach . The incident exposed 129k unique email addresses along with usernames, display names, IP addresses and password hashes.