On March 12 2026 threat actors got into Crunchyrolls support system by putting malware on a Telus International support agents computer. Stole their login details. With one login they could get into many internal systems like Zendesk, Gmail, Slack and Jira.
The attackers main goal was Crunchyrolls support system, Zendesk. This software helps manage customer requests in one place. Within 24 hours they downloaded 8 million support tickets. These tickets contained information such as customer names, emails, IP addresses and locations.
The attackers demanded $5 million. When Crunchyroll didn’t pay they leaked the data on April 4. Companies that do work for others like BPOs are major targets. If one employees computer gets compromised the bad actors can get into companies at once. Crunchyroll’s systems lacked basic defenses such as no API rate limiting, no anomaly detection but also no real-time monitoring. What would save or somewhat made this breach less worse, would be blocking bulk downloads, flag unusual access patterns, hardware multi factor authentication as well as network segmentation. This is not new either. Discord, Marks & Spencer, Co-op, and others have been hit the same way. Therefore until companies audit BPO permissions and implement zero-trust controls, expect more breaches.
There was probably no reason for a support agent to have full access to Jira, Slack, Gmail and Zendesk at the same time. This suggests that the company failed to control who had access to what giving agents access than they needed for their job. Beyond password theft the hackers likely used malware to steal session cookies. These cookies let attackers pretend to be logged in bypassing -factor authentication. The damage goes beyond the initial $5 million ransom demand. With eight million tickets leaked the risk now is that attackers will use this information to send emails to trick users into giving away credit card details or login credentials. For the company that was breached the fallout is huge showing a failure in endpoint security that allowed malware to persist undetected.
To prevent these kinds of attacks companies need to change how they think about security. They need to move from trusting vendors and toward a Zero Trust system. This starts with giving access to the specific application needed for a task. If an agent is working in Zendesk they should not be able to see the Jira login page. Companies should also require hardware-based -factor authentication, like physical security keys. These devices are much harder to hack than SMS or app-based codes. Data loss prevention must also be reinforced with API rate limiting and behavioral monitoring. The fact that millions of tickets were downloaded within a single day points to a lack of checks in the system. Security protocols should limit the number of records a single user can pull in a timeframe.
For sensitive roles companies can eliminate the risk of local device compromise by using Virtual Desktop Infrastructure (VDI) or managed enterprise browsers. In a VDI environment the agent logs into a machine managed by the parent company ensuring that no data lives on the agent’s hardware.
Finally security must be treated as an contractual obligation, not just a technical one. Organizations must implement third-party audits and “right-to-audit” clauses that allow for unannounced security scans of a vendor’s endpoint hygiene. Service Level Agreements should include financial penalties if a breach results from a vendor’s failure to maintain basic defenses. By treating BPO employees as high-risk users and wrapping their access, in these layers of friction companies can prioritize data safety.
Top comments (0)