Crunchyroll has been hit with a class action lawsuit following the alleged major data breach this month via a third-party vendor, which Crunchyroll says it’s investigating.
The plaintiff, based in Washington State and suing in the Northern District of California, makes various allegations. The plaintiff alleges that Crunchyroll failed to properly safeguard consumers’ personally identifiable information (PII) by sharing data with companies that used substandard data security. They add that this has caused harm through stress and anxiety, and the material risk that exposed PII will be used to commit fraud and other acts.
The proposed class of affected customers is “All individuals within the United States of America whose PII and/or financial information was exposed to unauthorized third parties as a result of the data breach experienced by Defendant on March 12, 2026.“
Telus Digital, reportedly the third-party vendor that suffered a breach, confirmed around March 12 that a security incident had taken place. Media outlet BleepingComputer also reported that hackers claimed in January to have successfully breached Telus. Telus said it is informing affected customers of this March 2026 breach; Crunchyroll, which has yet to confirm a breach, released a statement on March 23 saying it was aware of claims. It issued the relatively quiet second update on March 24:
“Our investigation is ongoing, and we continue to work with leading cybersecurity experts. At this time, we believe that the information is primarily limited to customer service ticket data following an incident with a third-party vendor. We have not identified evidence of ongoing access to systems in relation to these claims. We are continuing to monitor the situation closely.“
Crunchyroll’s statement is arguably vague. Short of confirming that the data alleged to have been stolen is real PII belonging to Crunchyroll customers, the statement appears to say that, if it is real, the data would largely be limited to customer service ticket data. Crunchyroll has not responded to queries about when it became aware of this alleged breach, if this is real PII, or what data outside of what was “primarily limited to customer service ticket data” may have been stolen. Again, Telus said around March 12 that it was informing affected customers.
It’s worth noting that the plaintiff’s allegations are largely unconfirmed. The lawsuit claims that Crunchyroll was aware of risks for months, while Crunchyroll only shared this week that it was aware of claims. It’s unclear where the allegation of “months” stems, but it may be from reports in January that Telus had been breached, which Telus did not confirm.
The plaintiff claims that Crunchyroll did not ensure that its data was well-protected and was therefore negligent, given that data breaches are increasing in frequency. The plaintiff adds that Crunchyroll has failed to provide clear and timely notification to customers and has unjustly enriched itself by concealing poor security systems.
By allegedly misleading customers about the security of their data, the plaintiff says it violated the FTC Act’s rules on unfair practices. They add that PII was not encrypted adequately. As Crunchyroll has yet to confirm what data was stolen and how, if at all, the lawsuit intends to establish various facts.
You can find the alleged data stolen here in this thread here and below:
Among many things, the lawsuit seeks to establish facts and secure damages, including actual damages and treble damages up to $25,000 per Class Member, injunctive relief, attorneys’ fees, and a court order forcing Crunchyroll to implement proper data security and training programs, as well as an order forcing it to reveal what data, if any, was stolen, and its associated risks.
This is the second class action lawsuit against Crunchyroll this month, after plaintiffs alleged that Crunchyroll’s app was sending customer viewing habits to Braze to build marketing profiles.
Source: Enfield v. Crunchyroll LLC (CourtListener)
Participate In Discussions