Streaming platform Hulu was caught up in a wave of attacks targeting Salesforce, a widely used customer relationship management service, in 2025. A threat actor calling itself "Scattered LAPSUS$ Hunters" claimed responsibility for exfiltrating data through this third-party platform and released a sample of the stolen records on October 3, 2025, announcing a full release of the dataset for October 10. The breach affected approximately 94.2 million customer records. The exposed data includes full names and email addresses, along with internal marketing and account metadata such as brand association, consent flags, and system timestamps. While the dataset does not include passwords or financial information, the combination of names and emails is enough to enable targeted phishing campaigns, account takeover attempts, and impersonation fraud. The breach pathway through a third-party vendor means Hulu customers may have been exposed without any direct compromise of Hulu's own systems. No regulatory action or formal breach notification process has been publicly confirmed as of the time of reporting. Affected individuals should be alert to unsolicited emails claiming to be from Hulu or Disney, treat any requests to verify account details or reset credentials with caution, and monitor their inboxes for phishing attempts that reference their streaming subscription.

Streaming services collect user identity, subscription records, payment-adjacent data, device identifiers, viewing behavior, and household-linked account activity across entertainment platforms.

Hulu’s recent trajectory has been defined by deeper integration into Disney’s broader streaming strategy. Disney announced in October 2025 that Hulu would become the global general entertainment brand on Disney+ internationally, replacing Star, and Hulu’s current 2026 release slate continues to be marketed through both Hulu and Hulu on Disney+ in the U.S. �