When Third Party Support Becomes Your Weakest Point: April 2026 Security Breach

Bulut Caner — Thu, 16 Apr 2026 12:56:14 +0000

On March 12 2026 threat actors got into Crunchyrolls support system by putting malware on a Telus International support agents computer. Stole their login details. With one login they could get into many internal systems like Zendesk, Gmail, Slack and Jira.
The attackers main goal was Crunchyrolls support system, Zendesk. This software helps manage customer requests in one place. Within 24 hours they downloaded 8 million support tickets. These tickets contained information such as customer names, emails, IP addresses and locations.

The attackers demanded $5 million. When Crunchyroll didn’t pay they leaked the data on April 4. Companies that do work for others like BPOs are major targets. If one employees computer gets compromised the bad actors can get into companies at once. Crunchyroll’s systems lacked basic defenses such as no API rate limiting, no anomaly detection but also no real-time monitoring. What would save or somewhat made this breach less worse, would be blocking bulk downloads, flag unusual access patterns, hardware multi factor authentication as well as network segmentation. This is not new either. Discord, Marks & Spencer, Co-op, and others have been hit the same way. Therefore until companies audit BPO permissions and implement zero-trust controls, expect more breaches.

There was probably no reason for a support agent to have full access to Jira, Slack, Gmail and Zendesk at the same time. This suggests that the company failed to control who had access to what giving agents access than they needed for their job. Beyond password theft the hackers likely used malware to steal session cookies. These cookies let attackers pretend to be logged in bypassing -factor authentication. The damage goes beyond the initial $5 million ransom demand. With eight million tickets leaked the risk now is that attackers will use this information to send emails to trick users into giving away credit card details or login credentials. For the company that was breached the fallout is huge showing a failure in endpoint security that allowed malware to persist undetected.

To prevent these kinds of attacks companies need to change how they think about security. They need to move from trusting vendors and toward a Zero Trust system. This starts with giving access to the specific application needed for a task. If an agent is working in Zendesk they should not be able to see the Jira login page. Companies should also require hardware-based -factor authentication, like physical security keys. These devices are much harder to hack than SMS or app-based codes. Data loss prevention must also be reinforced with API rate limiting and behavioral monitoring. The fact that millions of tickets were downloaded within a single day points to a lack of checks in the system. Security protocols should limit the number of records a single user can pull in a timeframe.
For sensitive roles companies can eliminate the risk of local device compromise by using Virtual Desktop Infrastructure (VDI) or managed enterprise browsers. In a VDI environment the agent logs into a machine managed by the parent company ensuring that no data lives on the agent’s hardware.
Finally security must be treated as an contractual obligation, not just a technical one. Organizations must implement third-party audits and “right-to-audit” clauses that allow for unannounced security scans of a vendor’s endpoint hygiene. Service Level Agreements should include financial penalties if a breach results from a vendor’s failure to maintain basic defenses. By treating BPO employees as high-risk users and wrapping their access, in these layers of friction companies can prioritize data safety.

Why a High School Student is Covering Defensive Cybersecurity

Bulut Caner — Thu, 16 Apr 2026 12:47:19 +0000

I’m 16. I recently started discovering cybersecurity purely out of curiosity. To see what it’s like, protecting yourself and others from cybercriminals before it becomes a bigger problem within society. As I delved deeper into this field the more I saw that I needed to learn more, to fully comprehend how computers communicate, before understanding how they’re exploited.

About me: In two years I would like to study cybersecurity & cybercrime at a university. This newsletter will be me documenting multiple aspects of cybersecurity to document how breaches happen globally and what we can learn from them. Many angles will be discovered such as defensive security analysis, the attack prevention measures of organizations, what went wrong and how it could possibly have been prevented. I am currently the Head of Technics of our MUN organization, where I built and deployed a website from scratch. Within the process I learned web design, web development and DNS configuration of our custom domain.

Defense Stack, The Security Analysis Newsletter by a highschool student: The first posts will break down recent cybersecurity breaches, what happened, how attackers got in, as well as what defensive measures could help stopping it. If you’re curious about cybersecurity, learning alongside me, or just want to understand what’s happening in the digital threat landscape, you may want to join me. This will be a long journey and I am going to extract as much information as I can.

— First Publication of Defense Stack >_

DEV Community: Bulut Caner

When Third Party Support Becomes Your Weakest Point: April 2026 Security Breach

Why a High School Student is Covering Defensive Cybersecurity