The Breach That Started a Year Before Crunchyroll Knew About It

When Crunchyroll finally acknowledged its breach on March 23, 2026, the company attributed the incident to a third-party vendor and described the scope as primarily limited to customer service ticket data. That statement is technically accurate and substantively misleading. It identifies the symptom — a compromised BPO partner — without acknowledging that the root cause predates Crunchyroll's own breach by a full year, passed through five separate organizations, and was documented, named, and covered extensively in public security advisories that Crunchyroll apparently never acted on.

Eleven days elapsed between the breach date and the company's first public acknowledgment. For context, GDPR requires notification within 72 hours. The 11-day silence isn't a procedural footnote — it is likely the detail that will draw regulatory attention first, and it happened while a threat actor group was actively dumping data from dozens of other victims and running simultaneous extortion campaigns against universities, financial firms, a restaurant chain, and a student information system used by 11 million students.

To understand what actually happened to Crunchyroll's subscribers, you have to start where nobody in the mainstream coverage started: a GitHub account compromise in March 2025.

The Attack Chain: Five Organizations, Twelve Months

The credential chain that eventually reached Crunchyroll's Zendesk environment is not metaphorical. Each link is documented, each transition sourced. Mandiant investigated the origin. Google Threat Intelligence Group published the Salesforce exfiltration details. BleepingComputer spoke directly to ShinyHunters about the Telus intrusion. The threat actor who breached Crunchyroll specifically contacted BleepingComputer and International Cyber Digest. Every step below has primary source attribution.

Denis Calderone, CTO of Suzu Labs, captured the upstream origin when the Telus breach was confirmed: "The Salesloft breach really is the gift that keeps on giving." The credentials used to reach Telus Digital, he noted, traced directly back to the Salesloft compromise that began in early 2025.

That is the attack chain in plain language: a chatbot company's GitHub account, compromised by unknown means in March 2025, set off a credential cascade that reached a Sony-owned anime platform's customer database twelve months later. Crunchyroll's subscribers were not the target. They were the downstream residue of a supply chain that nobody secured at any of its upstream links.

Link One: The Salesloft GitHub Compromise

Salesloft acquired Drift, a conversational marketing and AI chat platform, in February 2024. By March 2025, an unidentified threat actor — tracked by Mandiant as UNC6395 — had obtained unauthorized access to Salesloft's GitHub account and maintained that access through June 2025. Three months of undetected presence in a software development environment.

Salesloft has never publicly disclosed how the initial GitHub access was obtained. Mandiant's investigation confirmed the compromise and its timeline but the root cause statement — the one that would tell the security community exactly which failure enabled this — has never been published. That absence is worth noting. Every downstream organization affected by this chain made security decisions without knowing the actual entry point.

During those three months, the attackers conducted reconnaissance across Salesloft and Drift application environments, downloaded repository content, added guest users, and established workflows that would facilitate the August 2025 exfiltration campaign. This is not opportunistic compromise. This is a deliberately staged operation — understanding the target environment thoroughly before executing.

The August campaign itself ran from August 8 through August 18, 2025. Using OAuth tokens stolen from Drift's AWS environment, UNC6395 authenticated as the trusted Drift application into customer environments and executed systematic SOQL queries against Salesforce data. The specific query syntax Google Threat Intelligence Group published reveals exactly how methodical this was: COUNT queries first, to assess data volumes before committing to full extraction. Then structured pulls of Users, Cases, Accounts, and Opportunities. The attacker demonstrated operational security awareness by deleting query jobs afterward — but logs were preserved, which is why Mandiant could reconstruct the activity.

The primary objective was not the Salesforce data itself. The primary objective was the credentials embedded in that data. AWS access keys with AKIA identifiers. Snowflake tokens. VPN credentials. Passwords stored in support tickets. Cloudflare confirmed that 104 API tokens were discovered and rotated from its own environment. Palo Alto Networks, Zscaler, Proofpoint, Qualys, Tenable, CyberArk, BeyondTrust, Workday, and 17 other named organizations confirmed their Salesforce data was accessed.

Salesloft took Drift offline entirely in September 2025. FINRA issued a formal cybersecurity alert to all member firms. Unit 42 at Palo Alto Networks published a threat brief. Google and Mandiant published advisory after advisory. The security community treated this as a significant supply chain event. The credential exposure it created, however, did not end when the tokens were revoked. Some of those credentials — specifically, GCP credentials belonging to Telus Digital — were already in ShinyHunters' possession.

Link Two: Telus Digital and the Trufflehog Pivot

ShinyHunters told BleepingComputer exactly how they got into Telus Digital: they found the company's Google Cloud Platform credentials inside the Salesloft/Drift stolen Salesforce data. Those credentials were likely included in a support ticket or internal configuration shared through Salesforce — the kind of sensitive material that routinely ends up in CRM case notes because nobody thinks to treat a support ticket as a potential credential exposure surface.

The GCP credentials gave ShinyHunters access to Telus Digital's cloud environment, including a large BigQuery instance. After downloading that data, they ran Trufflehog — the same open-source secret-scanning tool used by security professionals to find exposed credentials — against the downloaded dataset to identify additional authentication materials. Trufflehog supports over 800 credential types and, critically, verifies discovered credentials by testing them against live APIs. An attacker running Trufflehog against a downloaded BigQuery instance gets a sorted, verified list of every still-active credential embedded in that data. From there, each valid credential becomes a key to another system.

This is what the Qualys blog called "credential discovery preceding exploitation, and authentication preceding impact." The technique is not sophisticated in the sense of requiring custom malware or zero-day exploits. It is sophisticated in the sense of being patient, methodical, and automated. ShinyHunters did not hack Telus Digital. They authenticated into Telus Digital using credentials that Telus Digital had inadvertently placed in data that another company (Salesloft) had inadvertently exposed.

The multi-month dwell time — BleepingComputer first heard about the Telus breach in January 2026, but the GCP credential origin traces back to the August 2025 Salesloft exfiltration — allowed for a staggering scale of extraction. ShinyHunters claims nearly one petabyte of data. Reuters confirmed samples shared by the group include data spanning at least two dozen companies including personally identifiable information, call center recordings, FBI background check information, and source code across multiple Telus business divisions. The 28 company names that ShinyHunters shared with BleepingComputer were withheld pending independent verification. Crunchyroll is the first to be publicly identified.

"This is not smash-and-grab ransomware. It is strategic, disciplined, and optimized for maximum leverage." The hallmarks of this breach — multi-month dwell time, massive data volumes, and delayed detection — suggest the abuse of legitimate access rather than overt technical exploitation. Attackers no longer need to break in if they can blend in. — Fritz Jean-Louis, Principal Cybersecurity Advisor, Info-Tech Research Group

Telus Digital is a BPO company. That classification matters enormously for understanding why this breach scaled the way it did. BPO providers handle customer support, content moderation, AI training data, fraud detection, and call center operations for multiple clients simultaneously. Because of this, they require privileged access to authentication workflows, billing systems, CRM platforms, and ticketing infrastructure across every client relationship they maintain. A single compromise at a BPO cascades to every downstream organization — not through hacking each one individually, but because the BPO already has legitimate access to all of them.

ShinyHunters: Not a New Threat, Not a Random One

Coverage of the Crunchyroll breach treated ShinyHunters as background context. The group deserves substantially more attention, because understanding their operational history makes the timing and targeting of the Telus breach far less surprising than the coverage suggested.

ShinyHunters emerged in 2020 — the name taken from the Pokémon practice of seeking rare "shiny" specimens — and within their first two weeks of public activity had offered over 200 million stolen user records for sale on dark web marketplaces. Their initial wave hit Tokopedia (91 million records), Unacademy (11 million), Wattpad (270 million), Microsoft's GitHub repositories, and dozens of smaller targets. By mid-2020 they had leaked databases from 25 companies containing over 386 million user records, offered free of charge.

In 2024, the group executed what became one of the most significant breaches in recorded history: the Snowflake customer database intrusions, hitting Ticketmaster (560 million records, 1.3 TB of data), Santander Bank (30 million customer records), and at least 165 other Snowflake customers — reached through compromised credentials at a third-party contractor called EPAM Systems, a Snowflake elite partner. The structural pattern is identical to what happened with Salesloft and Telus: a contractor's credentials, compromised through one means, used to reach multiple downstream organizations through a trusted platform relationship.

In August 2025, ShinyHunters formalized a coalition with Scattered Spider and Lapsus$ under the "Scattered LAPSUS$ Hunters" brand, announced via Telegram. The channel ran for four days before Telegram banned it, but in those four days they claimed breaches of Gucci, Chanel, Victoria's Secret, Subaru, Coca-Cola Europacific Partners, and Neiman Marcus, and announced a ransomware-as-a-service platform they claimed would target VMware ESXi hypervisors at the kernel level. They described their strategy explicitly, promising to "go quiet for a while, then return with another long campaign" they called Snowflake 3.0, predicting it would be significantly worse.

That statement was made in August 2025. Telus Digital was confirmed breached in March 2026. The pattern they described — operate, go quiet, return at scale — is exactly what the January-March 2026 campaign represents.

Between January and March 25, 2026 (the date of this analysis), ShinyHunters confirmed or claimed breaches resulting in over 50 million records leaked from more than 15 named organizations. They were operating at industrial volume, publicly, using a playbook documented in detail by Mandiant, CISA, the FBI, and GTIG. The Crunchyroll breach occurred in the middle of this campaign, not before it.

Mandiant's M-Trends 2026 report, published March 23, 2026 — two days before this writing — confirms the scale of the shift. Voice phishing surged to become the second most common initial infection vector in 2025, at 11% of intrusions, up from statistical insignificance in prior years. The median time between an initial access event and handoff to a secondary threat group collapsed from over eight hours in 2022 to 22 seconds in 2025. The infrastructure is pre-staged. The moment access is confirmed, everything is already in place to execute.

Link Three: How Crunchyroll's Users Were Exposed

The specific mechanics of the Crunchyroll breach differ from the ShinyHunters campaign in one important way: the attacker who hit Crunchyroll used phishing and malware rather than voice phishing and OAuth abuse. A Telus Digital employee in India executed malware from a spoofed phishing email. The infostealer captured the employee's Okta SSO credentials. Those credentials provided access to Crunchyroll's support systems — specifically Zendesk — along with Wizer, MaestroQA, Mixpanel, Google Workspace Mail, Jira Service Management, and Slack.

BleepingComputer confirmed via ticket samples that the support tickets all reference Telus, which corroborates the threat actor's claim that they compromised a BPO employee rather than Crunchyroll's own infrastructure directly. The attacker downloaded approximately 8 million support ticket records over 24 hours before their access was revoked. Of those records, 6.8 million contain unique email addresses along with names, login usernames, IP addresses, and geographic locations. Credit card information appeared only where customers had manually included it in support messages — in a small number of cases, full card numbers were present; in most cases only the last four digits or expiration dates.

The relationship between this attacker and ShinyHunters' Telus operation is ambiguous by design. The Crunchyroll intruder contacted International Cyber Digest independently, described a phishing-based entry, and claimed 100 GB over 24 hours. ShinyHunters gained access to Telus through GCP credentials from Salesloft and operated undetected for months. They are different operational signatures. This could be a separate opportunistic actor who found the same compromised Telus environment that ShinyHunters had already compromised through a different pathway. It could also be one component of the ShinyHunters operation, with the separate disclosure serving as leverage pressure after Crunchyroll ignored contact attempts.

The $5 million extortion demand that went unanswered is relevant here. ShinyHunters' documented methodology after a refused ransom demand is public data release or dark web sale. The Crunchyroll data — 6.8 million email addresses, names, IP addresses, geographic locations, support ticket contents — represents a high-value dataset for credential stuffing, targeted phishing, and social engineering campaigns against the subscriber base of one of the world's largest anime streaming platforms.

Trufflehog: The Defensive Tool That Became a Pivot Mechanism

One technical dimension of this breach chain deserves dedicated attention because it represents a pattern appearing across multiple concurrent campaigns and has implications beyond this specific incident.

Trufflehog is a legitimate, widely used open-source secret scanning tool developed by Truffle Security. With 24,500 GitHub stars and over 250,000 daily scans, it is a standard component of DevSecOps workflows. Its key capability — what distinguishes it from simpler pattern-matching tools — is live credential verification. When Trufflehog finds an AWS access key, it calls the GetCallerIdentity API to confirm the key is still active before flagging it. It supports over 800 credential types. It leaves a detectable "TruffleHog" user-agent string in cloud provider logs.

When ShinyHunters ran Trufflehog against the downloaded Telus Digital BigQuery data, they were not exploiting a vulnerability in the tool. They were using a defensive utility offensively — as a credential sorter, separating active keys from revoked ones and providing a prioritized list of immediately exploitable credentials. The same tool that security teams run to find their own exposed credentials was used to find Telus Digital's.

This is not an isolated case. The Shai-Hulud npm worm, which compromised over 500 npm packages in September 2025 and had a second wave in November 2025, deployed Trufflehog as a core component of its credential harvesting payload. The worm's bundle.js payload specifically downloaded and executed Trufflehog to scan developer machines for GitHub tokens, npm tokens, and AWS credentials, storing results in truffleSecrets.json before exfiltrating to attacker infrastructure. The Crimson Collective threat group used Trufflehog to harvest AWS credentials from Red Hat's GitLab repositories, resulting in the theft of approximately 570 GB of data from 28,000 repositories.

Truffle Security's own blog acknowledged this directly in September 2025, noting that supply chain attacks were "following the same playbook: breach, find secrets, pivot deeper." Their observation across multiple incidents was that threat actors had turned to publicly available tools — including TruffleHog — to uncover credentials. Their recommendation: defenders should run Trufflehog against their own environments before attackers do.

For organizations that use BPO providers, this creates a specific audit imperative. If your data — including support tickets, CRM records, API configurations, or any other structured data — passes through a third-party service, you should assume that service's data can be scanned by credential-harvesting tools. Support tickets in particular are credential goldmines. Users routinely paste configuration details, API keys, partial credentials, and billing information into support messages. Zendesk, ServiceNow, and similar platforms accumulate years of this material, indexed and searchable. An attacker with SSO access to a support platform doesn't need to breach a database. They just run a search.

The (B2)ⁿ Problem: Why "Third-Party Incident" Understates the Risk

When Crunchyroll attributed the breach to a third-party vendor incident, they used language that appears in almost every modern data breach disclosure. It is technically defensible and structurally misleading, because it suggests a bilateral relationship — Crunchyroll, Telus — when the actual exposure path involves five separate organizational trust boundaries.

Silverfort's analysis of the Salesloft breach introduced a framing that applies equally here: the (B2)ⁿ crossing attack, or what they call cross-vendor lateral movement. The attack chain is not Attacker → Telus → Crunchyroll. It is Attacker → Salesloft GitHub → Drift OAuth → Salesforce (700 orgs) → Telus Digital GCP → Telus BigQuery → Trufflehog credential discovery → Additional Telus systems → Telus employee's Okta → Crunchyroll Zendesk → Subscriber data. Each business-to-business integration created a trust relationship that the attacker inherited once they compromised any single node in the chain.

The practical implication is that Crunchyroll's own security posture was essentially irrelevant to this outcome. Even if Crunchyroll had achieved perfect internal security — hardware keys for every employee, zero-trust architecture, comprehensive monitoring — none of those controls would have intercepted a credential chain that entered their environment from a BPO partner's compromised SSO account. The attack bypassed Crunchyroll's perimeter entirely because it arrived through a trusted authentication pathway.

This is the point that the Blacksmith Infosec analysis made with particular precision after the Salesloft breach: "A vendor's security is indistinguishable from their own." A compromise of any upstream vendor is functionally a compromise of every downstream enterprise that trusts it. The modern enterprise doesn't control its own attack surface in any meaningful sense. It controls the nodes it can directly monitor, but it has limited visibility into — and zero direct security authority over — the vendors those vendors use, and the credentials those nested vendor relationships create.

Crunchyroll in 2026: A Company Already Under Pressure

The breach landed at a particularly difficult moment. In early 2026, Crunchyroll was already facing a class-action lawsuit alleging that it shared user viewing data, device IDs, and anime streaming history with third-party marketing platforms without subscriber knowledge or consent. The plaintiffs are seeking $2,500 per violation under the Video Privacy Protection Act. In 2023, Crunchyroll settled a substantially similar VPPA lawsuit for $16 million. The company also raised subscription prices for its Fan Tier membership for the first time in seven years as of February 2026.

Into this context, Crunchyroll waited 11 days to tell its 15 to 17 million subscribers that a breach had occurred, and even then characterized the scope as "primarily limited to customer service ticket data" — without providing subscribers any guidance on what data was specifically exposed or what actions they should take. No direct email notification. No dedicated breach notification page. Statements only to journalists who asked.

The company's silence during those 11 days is not legally neutral. The 72-hour GDPR notification requirement applies from the moment an organization becomes aware of a breach, not from when an investigation concludes. Crunchyroll detected and revoked the attacker's access on approximately March 13. Eleven days later, users were learning about the breach from security journalists, anime forums, and social media posts by cybersecurity accounts, not from Crunchyroll itself.

The extortion angle adds another dimension. The attacker demanded $5 million and was ignored. Ignoring extortion demands is consistent with FBI and CISA guidance and avoids setting a precedent for payment. But silence as a strategy accelerates the path to public data exposure, which is exactly what happened — International Cyber Digest published breach evidence on March 22, triggering the media coverage that forced Crunchyroll's hand. The company's silence did not contain the incident. It transferred narrative control to the threat actor.

What This Means Going Forward

The Crunchyroll breach is not a story about anime fans and compromised passwords. It is a case study in the structural vulnerabilities of modern enterprise architecture, executed by a threat actor group that has been operating publicly and continuously since 2020, using a playbook documented in detail by Google, Mandiant, Palo Alto Networks, and CISA.

Several implications are worth drawing out explicitly because they appear nowhere in the mainstream coverage.

The Salesloft remediation was incomplete. Telus Digital's GCP credentials were in the Salesloft/Drift stolen data. The credentials were apparently never rotated in the window between the August 2025 Salesloft breach and ShinyHunters' access to Telus in late 2025. Salesloft revoked OAuth tokens. They did not — could not — mandate that every organization whose data was accessed rotate every credential that might have been present in that data. The breach notification process is reactive. By the time an organization receives notification that their Salesforce data was accessed, the attacker may already have enumerated every credential in that data and begun pivoting.

Trufflehog in logs is a detection signal, not a guarantee of attack. The tool leaves a "TruffleHog" user-agent string in AWS CloudTrail and other cloud provider logs. Organizations that had deployed proper API-level telemetry monitoring could have seen Trufflehog running against credentials in their environment. A key open question about the Telus breach is whether any log-level signals of Trufflehog activity were present and undetected, or whether the BigQuery access simply never generated the expected alerts.

BPO contracts need security clauses that currently don't exist at scale. The typical BPO relationship includes service level agreements, data handling provisions, and confidentiality requirements. What it does not typically include is a contractual obligation to notify the client within 24 hours of any security incident affecting client data, a right to audit the BPO's security posture continuously rather than annually, or technical controls preventing BPO agents from bulk-downloading client data to personal devices. These are not unreasonable requirements. They are simply absent from most contracts because the risk was underestimated until breaches like this one made it visible.

The 28 unnamed Telus clients are still unnamed. As of this writing, Crunchyroll is the only organization publicly identified from ShinyHunters' claimed list of 28 Telus Digital BPO clients whose data was stolen. The other 27 have not been disclosed. Their subscribers — across telecommunications, financial services, healthcare, and media — may be unaware that their data passed through Telus Digital's compromised environment. The dwell time was months. The data is already in attacker hands. Notification processes that lag behind attacker exploitation timelines are functionally notification-as-liability-management, not notification-as-user-protection.

The credential chain is still active. ShinyHunters told The Register on March 9, three days before the Crunchyroll breach, that their "recon and exploitation has been going on for several months now" across approximately 100 high-profile companies. On March 18, they breached Infinite Campus. On March 25, the Infinite Campus ransom deadline. The campaign is ongoing. The 28 Telus client names are likely being used for follow-on operations — targeted phishing against the customer bases of those organizations, credential stuffing against platforms where the stolen emails have accounts, and social engineering leveraging the detailed support ticket content.

Key Takeaways

1. Supply chain breaches have a longer clock than anyone discloses. The Crunchyroll breach date is March 12, 2026. The actual origin date is March 2025, when Salesloft's GitHub was compromised. Every breach notification timeline that starts at the moment of direct victim contact understates the actual duration of exposure by the full length of the upstream credential chain.
2. Credential harvesting is the objective, not the method. In both the Salesloft and Telus incidents, data exfiltration was not the end goal — it was the means to find more credentials. The stolen Salesforce data was scanned for AWS keys. The Telus BigQuery data was scanned with Trufflehog. Each credential discovery event is itself a new breach origin for whoever those credentials unlock. Organizations that audit their own data stores for embedded credentials — using the same tools attackers use — can break the chain before it reaches them.
3. The (B2)ⁿ trust model requires rethinking third-party risk governance. Third-party risk assessments that evaluate a vendor's security posture annually cannot detect credential exposure that originated in a different vendor's environment six months ago. The risk model needs to include fourth-party visibility — who your vendors use — and continuous monitoring rather than point-in-time assessment.
4. Vishing surged to become the second most common initial infection vector in 2025, per Mandiant's M-Trends 2026 report. The Crunchyroll attacker used email-delivered malware. ShinyHunters uses vishing. Both techniques exploited the same structural weakness: SSO credentials granting broad access across connected platforms without independent verification at each application. FIDO2 security keys and passkeys are the only currently available MFA methods resistant to the real-time phishing proxy attacks these groups deploy. Push-based and SMS-based MFA are not.
5. The 11-day notification delay has legal consequences. GDPR's 72-hour notification requirement is not contingent on the completion of a forensic investigation. An organization that has detected and contained a breach — and Crunchyroll had, by March 13 — has a legal obligation to notify under EU regulation. The delay is a regulatory exposure that will be evaluated independently of the breach's technical scope.
6. ShinyHunters explicitly named Sony as a target three days before the Crunchyroll breach. The March 9 Register interview, the public Telegram channel, the documented pattern of targeting — none of this was obscure threat intelligence. It was published in mainstream security media. Whether any of that intelligence was being monitored and acted upon at Crunchyroll or Sony is a question the eventual regulatory and litigation processes will likely answer.

Crunchyroll's subscribers did not have their data stolen in a Crunchyroll breach. Their data was taken because a chatbot company's developer account was compromised in March 2025, triggering a credential cascade through five organizations across twelve months. The subscriber had no visibility into any of it. They had no relationship with Salesloft. They had no knowledge of Drift. They had never heard of Telus Digital. They trusted Crunchyroll with their email address, their IP address, their geographic location, and in some cases their payment information — and Crunchyroll, in turn, trusted a BPO whose security was only as strong as its vendors' vendors.

That is not an indictment specific to Crunchyroll. It is a description of how modern enterprise data architecture works. What is specific to Crunchyroll is the 11-day silence while 6.8 million subscribers remained uninformed, the absence of proactive user notification even after confirmation, and the continued absence — as of this writing — of any direct communication to the subscriber base advising them of what was exposed and what to do about it.

The clock that started in March 2025 is still running.

Frequently Asked Questions

Sources

The following primary and secondary sources were used in the research and writing of this analysis. URLs are provided as plain text for reference.