{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata — refreshed continuously.","feed_url":"https://feed.craftedsignal.io/tags/data-breach/","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cves":[],"_cs_exploited":false,"_cs_products":[],"_cs_severities":["high"],"_cs_tags":["supply-chain","data-breach","credential-theft","phishing"],"_cs_type":"advisory","_cs_vendors":[],"content_html":"\u003cp\u003eOn March 23, 2026, a data breach was reported at Crunchyroll, stemming from a compromise of their outsourcing partner, Telus, in India. The attackers successfully gained access to Crunchyroll\u0026rsquo;s environment after a Telus employee was targeted with a spoofed phishing email. This email delivered malware that stole the employee\u0026rsquo;s Okta credentials, granting the attacker a foothold into Crunchyroll\u0026rsquo;s systems. The breach resulted in the exfiltration of approximately 100 GB of sensitive customer analytics and ticketing data. The threat actor had unauthorized access for a duration of 24 hours before the compromised credentials were revoked. This incident highlights the risks associated with supply chain vulnerabilities and the importance of robust security measures across all partner organizations.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003e\u003cstrong\u003eInitial Access:\u003c/strong\u003e A Telus employee received a spoofed phishing email containing malware. (T1566)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eMalware Deployment:\u003c/strong\u003e The employee interacted with the phishing email, leading to the deployment of an infostealer on their machine.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eCredential Theft:\u003c/strong\u003e The malware captured the employee\u0026rsquo;s Okta credentials. (TA0006)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eAuthentication:\u003c/strong\u003e The attacker used the stolen Okta credentials to authenticate into Crunchyroll\u0026rsquo;s environment.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Access:\u003c/strong\u003e Upon successful authentication, the attacker gained access to customer analytics and ticketing data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eData Exfiltration:\u003c/strong\u003e The attacker exfiltrated approximately 100 GB of data, including PII such as email addresses and IP addresses. (TA0010)\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eLateral Movement (Likely):\u003c/strong\u003e While not explicitly stated, the attacker likely performed some level of lateral movement within the Crunchyroll environment to access the data.\u003c/li\u003e\n\u003cli\u003e\u003cstrong\u003eObjective Achieved:\u003c/strong\u003e The attacker successfully exfiltrated sensitive customer data.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eThe Crunchyroll data breach resulted in the exfiltration of 100 GB of customer analytics and ticketing data. This included personally identifiable information (PII) such as email addresses and IP addresses. The exposure of this data could lead to identity theft, phishing attacks targeting Crunchyroll customers, and potential financial fraud. The breach also damages Crunchyroll\u0026rsquo;s reputation and erodes customer trust. The incident underscores the critical need for robust security measures across the entire supply chain to protect sensitive customer data.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eImplement and enforce strict email security policies to prevent phishing attacks, focusing on employee training to recognize spoofed emails (T1566).\u003c/li\u003e\n\u003cli\u003eDeploy endpoint detection and response (EDR) solutions on all employee machines to detect and prevent malware deployment (TA0005).\u003c/li\u003e\n\u003cli\u003eMonitor Okta authentication logs for suspicious login activity, such as logins from unusual locations or at unusual times (TA0006).\u003c/li\u003e\n\u003cli\u003eImplement multi-factor authentication (MFA) for all user accounts, especially those with access to sensitive data, to mitigate the impact of credential theft (TA0006).\u003c/li\u003e\n\u003cli\u003eConduct regular security audits of all third-party vendors and partners to ensure they meet the required security standards (TA0011).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rule to detect the use of stolen Okta credentials based on anomalous login patterns.\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2026-03-24T12:00:00Z","date_published":"2026-03-24T12:00:00Z","id":"/briefs/2026-03-crunchyroll-breach/","summary":"Crunchyroll suffered a data breach after a Telus employee was phished, leading to Okta credential theft and exfiltration of 100GB of customer data.","title":"Crunchyroll Data Breach via Telus Supply Chain Compromise","url":"https://feed.craftedsignal.io/briefs/2026-03-crunchyroll-breach/"}],"language":"en","title":"CraftedSignal Threat Feed — Data-Breach","version":"https://jsonfeed.org/version/1.1"}