Crunchyroll Data Breach Exposes 1.2M User Records via Zendesk Support System
What Happened – In March 2026, Crunchyroll’s Zendesk support platform was compromised, leaking names, login IDs, email addresses, IP locations and full support‑ticket contents. A subset of 1,195,684 email records were later published on Have I Been Pwned.
Why It Matters for TPRM –
- Personal identifiers and usage data can be leveraged for credential stuffing and phishing campaigns against the vendor and its partners.
- Exposure of support‑ticket content reveals internal processes and may disclose third‑party integrations.
- The breach demonstrates the risk of third‑party SaaS mis‑configurations in a media‑streaming supply chain.
Who Is Affected – Media & entertainment streaming services; downstream advertisers and content partners that rely on Crunchyroll’s platform.
Recommended Actions –
- Verify that any contractual clauses require Crunchyroll to maintain secure SaaS configurations and regular audits.
- Require the vendor to provide evidence of post‑breach remediation (e.g., hardened Zendesk settings, MFA enforcement).
- Review and, if needed, rotate credentials used for any API or integration with Crunchyroll.
Technical Notes – Attack vector appears to be a mis‑configuration of the Zendesk support system, leading to data exfiltration of ~1.2 M records (email, name, IP, ticket content). No CVE is associated. Source: Have I Been Pwned – Crunchyroll Breach