Have I Been Pwned (HIBP) has added 1.2 million email addresses tied to the recent Crunchyroll data breach, enabling users to check if their information was exposed.
The dataset represents a subset of a larger trove allegedly stolen from the anime streaming platform in March 2026.
The breach was first reported in mid-March after a threat actor claimed to have accessed Crunchyroll’s internal systems and exfiltrated millions of customer support records. According to HIBP, the newly added data was provided by the threat intelligence account @IntCyberDigest, which obtained the dataset from a buyer known as “Mr. Raccoon.” The group stated that 1.2 million email addresses were part of a larger 2 million-record dataset that had been sold, and subsequently shared with HIBP for public notification purposes.
Crunchyroll, a major anime streaming platform owned by Sony Group Corporation, serves tens of millions of users globally and offers a vast catalog of licensed anime content. The company confirmed it is investigating the incident and attributed the exposure primarily to customer service data handled through a third-party vendor.
Technical details surrounding the intrusion suggest the attackers gained access via a compromised support agent account linked to Telus International, a business process outsourcing (BPO) provider used by Crunchyroll. The threat actor claimed they infected the agent’s device with malware, allowing them to capture Okta single sign-on credentials and pivot into multiple internal services. These reportedly included Zendesk, Slack, Google Workspace, Jira Service Management, and analytics tools like Mixpanel.
Using this access, the attackers allegedly extracted up to 8 million support ticket records, containing approximately 6.8 million unique email addresses. The exposed data varies in sensitivity but includes names, login usernames, email addresses, IP addresses, geographic location data, and the full contents of customer support interactions. While some reports suggested payment data exposure, investigations indicate that credit card details were only present when users manually included them in support tickets, typically limited to partial numbers or expiration dates.
Crunchyroll stated there is no evidence of ongoing unauthorized access and that the breach was contained after roughly 24 hours. The attackers also claimed to have attempted extortion, demanding $5 million in exchange for not leaking the data, though the company reportedly did not engage.
Users can now search HIBP to determine if their email address was included in the exposed dataset. While only email addresses were added to the service, affected individuals should remain cautious of phishing attempts that may leverage details from support tickets. It is also recommended to enable multi-factor authentication (MFA) on their Crunchyroll and associated email accounts.
Leave a Reply