Crunchyroll faces mounting legal pressure after a major data breach exposed millions of users and triggered a class action lawsuit that could carry a steep financial cost.
The anime streaming platform, owned by Sony, allegedly exposed personal information belonging to around 6.8 million users after hackers accessed a third-party support system linked to the company. The incident did not stem from a direct attack on Crunchyroll itself. Instead, attackers reportedly targeted Telus, a vendor that handled operational support for the platform.
Court filings claim hackers gained access to a support account belonging to an employee in India, then used malware to retrieve sensitive records. Those records allegedly included usernames, email addresses, IP addresses and customer support ticket histories. In some cases, users may also have exposed payment information if they included credit card details in support conversations.
The legal threat goes beyond the breach itself.
One lawsuit, filed in California in early March, accuses Crunchyroll of violating the Video Privacy Protection Act. Plaintiffs argue the company embedded software from marketing firm Braze into its mobile app, allowing it to share email addresses, device identifiers and viewing habits without obtaining proper consent from users. The lawsuit claims Crunchyroll failed to secure the “informed, written consent” required under US privacy law.
A second lawsuit followed later in March, alleging Crunchyroll failed to protect user data adequately and exposed customers to risks such as fraud, identity theft and financial loss. Plaintiffs are seeking compensatory damages as well as statutory damages of up to $2,500 per affected user under privacy laws. If courts certify a large class of users, the potential financial exposure could become significant.
Crunchyroll has more than 120 million registered users worldwide and roughly 17 million paying subscribers. Even a small percentage of affected users joining a class action could create a serious legal and reputational problem for the company. The platform has already faced privacy-related complaints before, including a 2023 settlement over data practices involving Sony.
Cybersecurity experts warn that the leaked information could become valuable to scammers. Support tickets often contain detailed personal context, making phishing emails more believable and harder to spot. A user who once contacted support about a subscription issue, for example, may be more likely to trust a fraudulent email that references that exact interaction.
That is often the most damaging effect of a breach. Passwords can be changed. Credit cards can be replaced. Personal details tied to habits, support history and online behaviour can linger for years.
Crunchyroll has not admitted wrongdoing and is still investigating the full scope of the incident. The company reportedly contained the breach within 24 hours and declined to pay a ransom demand from attackers.
Author: George Nathan Dulnuan