Crunchyroll is the target of a new class action lawsuit filed on March 27th, 2026, in the U.S. District Court for the Northern District of California. Plaintiff Emilia Enfield, a Washington resident and Crunchyroll subscriber, accuses the anime streaming service of negligence that allowed cybercriminals to access sensitive user data through a third-party vendor.
According to the complaint, the breach occurred no later than March 12th, 2026, when malware executed on a Telus Digital employee’s system in India granted unauthorized access to Crunchyroll’s environment. Telus Digital handles customer support ticket processing for the platform. The stolen information reportedly includes full names, usernames, email addresses, IP addresses, approximate location data, and the full text of user support tickets. Some tickets may have contained partial payment card details, such as the last four digits or expiration dates, though no complete credit card numbers or financial account information were compromised.
Enfield claims Crunchyroll failed to implement basic safeguards, including proper data encryption (even for internal use), real-time threat monitoring, and timely breach notifications. The suit alleges the company knew about industry-wide risks but did not adequately protect user data, leaving subscribers vulnerable to identity theft, fraud, and ongoing privacy harm. Affected users have reportedly spent time monitoring accounts, contacting support, and seeking professional advice, with the risk of data being sold on underground markets persisting.
The lawsuit seeks to represent a class of all U.S. residents whose personal information was exposed in the incident, estimated in the tens or hundreds of thousands based on Crunchyroll’s user base. Relief requested includes actual and consequential damages, statutory damages of up to $25,000 per class member under Washington’s Consumer Protection Act, injunctive relief requiring Crunchyroll to adopt stronger security measures (such as encryption, independent audits, employee training, and improved monitoring), and payment of attorney fees and costs.
Crunchyroll has acknowledged the incident in public statements following initial hacker claims that surfaced around March 22nd. The company said its investigation is ongoing and that it is working with leading cybersecurity experts. At this time, Crunchyroll maintains that the compromised data is primarily limited to customer service ticket information obtained through the third-party vendor and that it has found no evidence of ongoing unauthorized access to its systems. The streamer emphasized that full payment information was not part of the breach.
This latest legal action comes just weeks after another lawsuit filed against Crunchyroll this month over alleged privacy violations in its mobile app. The rapid succession of complaints highlights growing scrutiny of the platform’s data-handling practices as its subscriber base continues to expand globally.
The breach was first publicly flagged through cybersecurity channels and media reports, with screenshots of internal Slack messages and stolen support data circulating online. Crunchyroll notified affected users after the claims surfaced, but the complaint argues the disclosure was delayed and lacked sufficient detail about what was taken or how the company plans to prevent future incidents.
For subscribers, the situation raises familiar concerns about the security of streaming services that collect extensive personal and interaction data. While no full financial details were lost, the exposure of emails, IP addresses, locations, and support ticket contents can still enable targeted phishing, account takeovers, or doxxing attempts.
Crunchyroll has not yet filed a formal response to the lawsuit in court. The case is in its earliest stages, and it remains to be seen whether it will proceed as a class action or be resolved through other means. In the meantime, the company continues to investigate and has urged users to remain vigilant with account security practices such as enabling two-factor authentication and monitoring for suspicious activity.
The development underscores the increasing risks faced by third-party outsourcing arrangements in the entertainment industry. Telus Digital, a major business process outsourcing provider, has been linked to the incident, though the malware was reportedly isolated to a single employee system rather than a broader compromise of the vendor’s infrastructure.
As one of the leading anime streaming platforms worldwide, Crunchyroll’s handling of this breach will be closely watched by users, regulators, and industry peers. The lawsuit seeks not only monetary compensation but also systemic changes to data protection protocols, reflecting broader demands for accountability in how streaming services safeguard customer information.
Affected users who wish to learn more about the case can review the publicly available complaint filed under case number 3:26-cv-02714 in the Northern District of California.
Stay tuned to Animemojo.com for more updates as the whole situation unfolds.