Popular anime-streaming service Crunchyroll has been hit with a class-action lawsuit in a California federal court following a massive data breach that exposed the personal information of millions of users.
The lawsuit alleges that the Sony-owned company failed to safeguard the data of 6.8 million users, which was leaked online after a cyberattack in March 2026.
Sensitive details, including email addresses and, in a small number of cases, credit card numbers, were exposed after hackers targeted a third-party company that worked with the streaming platform.
The complaint, filed on March 24 by plaintiff Max Agress, claims Crunchyroll violated state and federal consumer protection laws by failing to properly secure customer data.
According to the lawsuit, the stolen information could be used for identity fraud, financial theft, or even to impersonate victims when applying for jobs or official documents.
Investigators believe the breach originated at a supplier, where cybercriminals allegedly deployed malicious software that allowed them to access private data connected to Crunchyroll's systems.
The large number of users involved makes this incident one of the largest breaches to impact an entertainment streaming platform this year.
The breach specifically targeted the company's ticketing system used to handle customer support requests, raising concerns about how deeply attackers were able to penetrate internal networks.
Cryunchyroll hosts an annual Anime Awards to recognize the best anime of the previous year.
Cryunchyroll is a major global streaming service dedicated to anime, offering over 1,300 titles and more than 200 East Asian dramas, often featuring simulcasts shortly after Japanese broadcast.
The company also hosts an annual Anime Awards to recognize the best anime of the previous year. Announced in December 2016, the awards were first presented in January 2017.
The breach originated through Telus, a company that provides operational support to Crunchyroll, and involved a support account linked to an employee believed to be based in India.
Attackers, who claimed in comments to tech site BleepingComputer, claimed that they deployed malware... allowing them to gain access to internal systems including Zendesk, Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jira Service Management and Slack.
According to the hackers, they downloaded approximately eight million support ticket records, including 6.8 million email addresses along with login names, IP addresses and customer support messages.
In a small number of cases, credit card details were also exposed when users included card numbers directly in support tickets, BleepingComputer reported.
The attackers reportedly maintained access for around 24 hours, during which they downloaded millions of customer communications.
Security website Have I Been Pwned now allows users to check whether their email address or personal information was exposed in the breach.
Cryunchyroll is a major global streaming service dedicated to anime, offering over 1,300 titles and more than 200 East Asian dramas, often featuring simulcasts shortly after Japanese broadcast.
Dray Agha, senior manager of security operations at Huntress, told DailyMail.com: 'Crunchyroll is learning the hard way that collecting vast amounts of user habits and personal information is a double-edged sword. It doesn't just invite privacy lawsuits when shared behind the scenes; it also creates a massive and irresistible treasure trove for hackers.'
'This is a clear warning to the entire streaming industry to stop keeping data they don't absolutely need and to strictly limit who can see what they do keep,' Agha added.
'A compromised customer service representative shouldn't become the master key that unlocks millions of sensitive user records and credit card details.'
Cryunchyroll said in a statement at the time: 'Our investigation is ongoing, and we continue to work with leading cybersecurity experts. At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor.'
'We have not identified evidence of ongoing access to systems in relation to these claims, and we are continuing to monitor the situation closely,' the company added.
DailyMail.com has approached Crunchyroll for further comment.
Max Agress, who filed the class-action lawsuit, alleges in the suit that a Telus employee executed software on their system that allowed criminals to gain unauthorized access to Crunchyroll data.
Agress is seeking to represent individuals across the United States whose information was exposed in the breach, which occurred on March 12, 2026, and was publicly disclosed on March 22.
The lawsuit alleges that Crunchyroll failed to implement reasonable security measures, violating both Section 5 of the Federal Trade Commission Act and California's Consumer Records Act.
According to the complaint, the company also failed to properly monitor system security and did not provide timely notification to affected users.
The lawsuit states: 'With access to an individual's PII, criminals can do more than just empty a victim's bank account; they can commit all manner of fraud, including obtaining a driver's license or official identification card in the victim's name, but with the thief's picture.'
It continues: 'Identity thieves may obtain a job, rent a house, or receive medical services in the victim's name. They may even give the victim's personal information to police during an arrest, resulting in an arrest warrant being issued in the victim's name.'
The complaint further alleges that Crunchyroll failed to follow standard cybersecurity practices, including properly educating employees; enforcing strong password requirements; implementing multi-layered protections such as firewalls and anti-malware software; encrypting sensitive data; requiring multi-factor authentication; backing up data; restricting employee access to sensitive information.