Roughly 100 GB of customer data was stolen from Crunchyroll, Sony's anime streaming platform. The attacker reached Crunchyroll's environment by compromising an employee at Telus Digital, the platform's BPO partner. As of March 23, Crunchyroll has not acknowledged the incident or notified its 15 million subscribers.
The breach reportedly hit on March 12, 2026. That same day, Telus Digital confirmed a separate, far larger intrusion. ShinyHunters, an extortion group active since 2020, claimed nearly one petabyte of stolen Telus data and demanded $65 million. Telus refused to pay.
A Telus Digital employee in India executed malware from a spoofed phishing email. The attacker told International Cyber Digest that the infostealer captured the employee's Okta credentials, opening an authentication path into Crunchyroll. From this BPO foothold, lateral movement reached the platform's ticketing infrastructure and customer analytics databases.
International Cyber Digest reviewed a sample of the stolen Crunchyroll files. The exposed records reportedly include IP addresses, email addresses, payment card details, and analytics data. Whether the card numbers are full or masked has not been confirmed. Ticketing platforms routinely contain unencrypted logs where customers paste billing screenshots or share card numbers in plaintext.
Crunchyroll detected the intrusion and cut the attacker's access roughly 24 hours after the initial breach. Despite the short dwell time, 100 GB exfiltrated in that window points to a pre-planned, automated extraction.
Sony's streaming platform is one downstream casualty of a much wider Telus Digital compromise. ShinyHunters claimed the stolen files span call center recordings, agent metrics, AI-driven support tooling, fraud detection infrastructure, source code, financial records, and Salesforce exports. FBI background check results for employees were also reportedly taken. The haul allegedly covers 28 client companies.
TELUS Digital is investigating a cybersecurity incident involving unauthorized access to a limited number of our systems. Upon discovery, we took immediate steps to address the unauthorized activity and secure our systems against further intrusion.
— Telus Digital, public statement, March 12, 2026
The Telus Digital breach itself traces to a third incident. ShinyHunters obtained Google Cloud Platform credentials from data stolen during the 2025 Salesloft Drift compromise. In that earlier breach, attackers stole OAuth tokens from the Drift chatbot integration and used them to access Salesforce data for 760 companies. ShinyHunters then ran the open-source tool Trufflehog against the Telus data to extract additional credentials, pivoting through multiple systems and BigQuery instances over several months.
The Salesloft breach really is the gift that keeps on giving. The credentials used to get into Telus Digital trace back to the Salesloft compromise that started in early 2025.
— Denis Calderone, CTO, Suzu Labs
Salesloft Drift (2025) fed credentials to Telus Digital (March 2026). Telus gave access to Crunchyroll on the same day. Each link in the chain amplified the next.
The relationship between the Crunchyroll attacker and ShinyHunters is unclear. The Crunchyroll intruder contacted International Cyber Digest independently, described a phishing-based entry, and claimed 100 GB over 24 hours. ShinyHunters gained access through stolen GCP credentials and operated undetected for months, claiming nearly a petabyte. The Crunchyroll incident could be a separate opportunistic intrusion by a different actor who found the same compromised Telus environment. It could also be one component of the ShinyHunters operation, with the separate disclosure serving as pressure after Crunchyroll ignored contact attempts.
Crunchyroll already faces a class-action lawsuit filed in early 2026. The suit alleges unauthorized sharing of user viewing data with third-party marketing platforms. A confirmed breach involving PII and possible payment card exposure would intensify legal and regulatory risk, particularly under GDPR's 72-hour notification requirement and California's CCPA.
BPO providers maintain privileged access to authentication workflows, billing systems, and customer-facing infrastructure for multiple clients at once. A single compromise at the outsourcer cascades to every downstream organization. Crunchyroll is the first named victim from the Telus Digital breach. With 28 companies allegedly affected, more will likely surface.
ShinyHunters' claim of 28 affected companies has not been independently verified. None of the names have been published. Crunchyroll is the first to be identified publicly.
Sony, Crunchyroll's parent company, has not commented.
Crunchyroll subscribers should change their passwords and enable multi-factor authentication now. Anyone who submitted payment card numbers or billing screenshots through the support portal should monitor financial accounts and set fraud alerts. The 11-day silence from Crunchyroll, if the March 12 breach date holds, is the detail that will draw regulatory attention first.
Have a story? Become a contributor.
We work with independent researchers and cybersecurity professionals. Send us a tip or submit your article for editorial review.
