A threat actor claims to have stolen approximately 6.8 million Crunchyroll user records, potentially including payment card data, via a suspected third-party vendor compromise; the breach vector and data scope remain unconfirmed pending Crunchyroll’s official investigation. No CVE has been assigned and no confirmed IOCs are publicly available. Organizations should monitor authentication systems for credential stuffing using Crunchyroll-associated email addresses, audit any vendor integrations or shared infrastructure with the platform, and revisit third-party access controls mapped to NIST SP 800-53 SA-9 while awaiting official forensic disclosure.