Key Findings

• Crunchyroll experienced a data breach in March 2026 affecting approximately 6.8 million users

• Attackers gained unauthorized access to the company's Zendesk support system

• Exposed data included names, login credentials, email addresses, IP addresses, geographic location data, and support ticket contents

• A subset of 1.2 million email addresses from a larger 2 million record dataset was later provided to Have I Been Pwned

• 1,195,684 breached accounts were confirmed in the incident database

Background

Crunchyroll is a leading anime streaming service that provides content to millions of subscribers worldwide. The platform hosts customer support through Zendesk, a third-party ticketing system designed to manage user inquiries and technical issues. Like many service-oriented platforms, Crunchyroll's support system contains sensitive user information collected during troubleshooting and account management interactions.

The Breach Details

In March 2026, threat actors discovered and exploited a vulnerability in Crunchyroll's Zendesk implementation. Rather than targeting the main streaming platform directly, the attackers focused on the support infrastructure where access controls were apparently weaker. The compromise exposed a comprehensive set of personally identifiable information spanning millions of user accounts.

Exposed Information

The data extracted from Zendesk included core account identifiers and personal details. Names and login credentials were compromised alongside email addresses that users provided during account creation. IP addresses revealed user connection points, while geographic location data indicated where subscribers were accessing the service from. Perhaps most concerning was the exposure of support ticket contents, which potentially included additional sensitive information users may have shared when seeking help from customer service representatives.

Data Distribution and HIBP Notification

Following the initial breach, threat actors began monetizing the stolen data by listing it for sale on dark web marketplaces. A sample dataset containing approximately 2 million records was compiled for sale. Security researchers later obtained a subset containing 1.2 million email addresses from this dataset and submitted it to Have I Been Pwned, a public database that helps individuals determine if their personal information was compromised in known breaches.

Sources

• https://haveibeenpwned.com/Breach/Crunchyroll

• https://md.linkedin.com/in/andrei-v-a1608056