Crunchyroll Supply Chain Breach: Telus Access Compromise Explained

Aditya works customer support for a major anime streaming platform. His job is simple — resolve subscription issues, handle billing complaints, reset passwords for frustrated users. He sits at his desk in Telus International's office, opens his laptop, and starts his shift.

Somewhere during that shift, he clicks something he shouldn't have. A phishing email, a fake software update, a malicious link — the exact trigger doesn't matter. Malware silently installs itself on his laptop. His login credentials are copied. His active session tokens are captured. And within minutes, someone sitting thousands of kilometres away has everything they need to log in as Aditya — with full access to Crunchyroll's internal support systems.

That is how 100 gigabytes of data belonging to millions of anime fans was stolen on March 12, 2026. Not through a sophisticated hack of Crunchyroll's servers. Through one support agent's laptop.

The Real Story — Crunchyroll Wasn't Hacked. Their Support Vendor Was.

This is the part most headlines are missing. The attacker didn't find a vulnerability in Crunchyroll's code. They didn't break through a firewall or guess an administrator's password. They didn't touch Crunchyroll's systems directly at all — at least not at first.

They targeted Telus International — a company most Crunchyroll subscribers have never heard of. Telus International is a "business process outsourcing" provider, which is a corporate term for a company that handles customer support, content moderation, and other back-office work on behalf of larger brands. Crunchyroll uses Telus to run its customer support operations.

This is how large technology companies work in 2026. The person who answers your support ticket when your subscription stops working is probably not a Crunchyroll employee. They work for a vendor like Telus, sitting in an office somewhere, accessing Crunchyroll's systems using credentials Crunchyroll gave to Telus so their agents can do the job.

That access is real. It reaches real systems. It can see real customer data. And the security of that access depends not on Crunchyroll's own security team — but on whether a Telus employee's laptop is clean.

You can build the most secure castle in the world. But if you hand the keys to a contractor whose office has no locks, the castle doesn't matter.

How the Attack Actually Worked

The attacker's method follows a pattern we've covered before — and it's becoming the most reliable way to breach large organisations in 2026.

Step 1 — Infect the laptop

A Telus support agent executed malware on their workstation. The most likely delivery was a phishing email — a message designed to look legitimate that tricks the recipient into opening an attachment or clicking a link that installs malicious software in the background. The agent almost certainly had no idea anything happened. The malware was silent.

Step 2 — Steal the credentials and session

Once running on the laptop, the malware looked for two things. First, saved login credentials — usernames and passwords stored in the browser or in applications. Second, and more importantly, active session tokens.

Here's what a session token is and why it matters. When you log into a website and pass the password check, the website gives your browser a small file called a session token — essentially a temporary digital pass that says "this person already proved who they are, let them through." Your browser presents this token automatically with every click. You don't even notice it happening.

If an attacker steals that token, they don't need your password. They don't need to bypass your multi-factor authentication. They just present the stolen token from their own device and the system sees what looks like a continuation of your legitimate session. You're still logged in on your laptop. They're also logged in, on theirs, using the same session.

This is exactly how they bypassed Okta's multi-factor authentication — the very security tool Telus was using to protect Crunchyroll's systems. MFA stops someone who steals your password. It doesn't help if the attacker steals your active session after you've already passed the MFA check.

Step 3 — Move through the connected systems

With an active authenticated session for a Telus support agent, the attacker had legitimate-looking access to everything that agent could reach — Crunchyroll's Zendesk ticketing system, internal Slack channels, and connected Google Workspace accounts.

From a ticketing system perspective, they had access to years of customer support interactions. Every ticket contains information users provided when they needed help — email addresses, subscription details, billing issues, in many cases partial or full payment information. Six million eight hundred thousand unique email addresses were in that system.

From the analytics infrastructure, they pulled 100 gigabytes of customer data — IP addresses, viewing habits, account details, and credit card information.

Step 4 — 24 hours, then gone

Crunchyroll detected the unusual activity and revoked access approximately 24 hours after the breach began. By then the attacker had already moved everything they needed. The access window was short. The damage was not.

Why This Matters Beyond Crunchyroll

This is not a story about an anime streaming service. It is a story about how modern organisations are structured — and why that structure creates security blind spots that attackers are now systematically exploiting.

Almost every large consumer platform uses third-party vendors for customer support. The vendor gets access. The vendor's employees get credentials. Those credentials reach real systems with real data. And the security standards of the vendor — the training, the laptop policies, the phishing awareness, the endpoint protection — are almost always lower than the standards of the company that hired them.

The attacker didn't need to beat Crunchyroll's security team. They needed to beat Telus's. These are not equivalent targets.

This connects directly to the Ghost AitM attack we covered earlier this month — where attackers bypassed MFA by stealing session tokens after authentication rather than trying to break the authentication itself. The technique is the same. The entry point is different — a support vendor's laptop instead of a phishing page — but the core method is identical:

→ The Ghost Attack: How Hackers Are Stealing Fintech Sessions After MFA Already Passed

And this is the second major Telus breach in 2026. Earlier this month, attackers claimed to have stolen nearly one petabyte of data from Telus Digital in a separate multi-month breach. The same vendor. The same pattern. A different client's data each time.

What Crunchyroll Users Should Do Right Now

Change your Crunchyroll password immediately. Even if your password wasn't directly stolen, your email address was in the dataset. Attackers will use it for targeted phishing. A fresh password reduces the risk.

If you used the same password elsewhere, change it there too. Email, banking, other streaming services. If your Crunchyroll password is unique, you're fine. If it's shared with anything else, change every instance of it now.

Watch your bank statements. Credit card details were reportedly in the stolen data. Flag any unauthorised transaction immediately. Consider requesting a new card number from your bank if you used a card directly with Crunchyroll.

Be suspicious of any Crunchyroll-branded email you receive. Attackers now have email addresses and know you're a Crunchyroll subscriber. Expect phishing emails designed to look like official communications — "Your account has been compromised, click here to secure it." Crunchyroll will not ask you to click a link in an email to reset your password. Go directly to the website.

Note that Crunchyroll does not currently offer two-factor authentication. This is worth remembering when choosing whether to store payment details on the platform going forward.

The ZyberWalls Perspective

Crunchyroll is a Sony company. Sony has the resources, the security team, and the institutional knowledge to build genuinely strong defences. None of that helped on March 12, because the attacker never tried to get through those defences.

They went around them. Through a vendor. Through a support agent. Through a laptop that had nothing like the security controls protecting Crunchyroll's own infrastructure.

The hard truth about supply chain attacks is that you are only as secure as the least secure company that has access to your systems. That company is almost never you. It's the outsourcing partner hired three years ago, operating under a contract that specifies service levels and response times — but says nothing about phishing training or endpoint detection software.

Crunchyroll's silence since March 12 is its own problem. The threat actor claims all attempts to contact Crunchyroll have been ignored, and no formal disclosure has been made to affected users. Millions of subscribers whose email addresses and payment details may have been stolen have not been told. In most jurisdictions with data protection laws, that silence has a legal name. It is not a good one.

Change your password. Watch your statements. And the next time a company you subscribe to asks for your payment details — consider whether you trust not just them, but everyone they've ever handed access to.