The Crunchyroll Breach Proves Your Data Is Only as Safe as the Weakest Contractor

What happened with TELUS and Crunchyroll

On March 11, 2026, TELUS Digital confirmed that hackers had gained unauthorized access to its systems. TELUS Digital is a Canadian business process outsourcing (BPO) company - they run customer support, content moderation, and AI training operations for other companies. The threat group ShinyHunters claimed they stole almost 1 petabyte of data.

The stolen data reportedly includes customer support records, voice recordings of support calls, financial information, Salesforce data, source code, and FBI background checks on employees. ShinyHunters demanded $65 million in ransom. TELUS reportedly did not pay.

The next day, the same attack chain hit Crunchyroll, the anime streaming platform with over 15 million subscribers. A TELUS employee working on Crunchyroll's customer support was tricked by a phishing email and downloaded malware. That gave attackers access to Crunchyroll's Zendesk platform - 8 million support tickets, 6.8 million unique email addresses, IP addresses, and credit card details.

Crunchyroll's own servers weren't breached. The vulnerability was an outsourced support agent at a contractor who fell for a phishing attack. One click, two companies compromised.

The invisible companies handling your data

Most people have never heard of TELUS Digital, but their data has probably passed through it. BPO companies like TELUS handle customer support for hundreds of brands. When you open a support ticket or call a helpline, the person on the other end often works for a completely different company.

This is the reality of modern tech: the company you signed up for rarely handles everything itself. Customer support gets outsourced to BPO firms. Email delivery goes to Mailgun or SendGrid. Analytics data flows to Amplitude or Mixpanel. Payment processing goes through Stripe. Photo processing might go to an AI provider. Each handoff creates a new attack surface.

In the TELUS case, the hackers didn't even attack TELUS directly. They found TELUS credentials in data stolen from another breach - the Salesloft Drift incident. Old credentials from Company A gave access to Company B, which gave access to Company C's customer data. This is what security researchers call a supply chain attack, and it's becoming the default way data breaches happen.

What photo platforms outsource

If you think photo platforms are immune to this, think again. Here's what most photo and cloud storage services outsource or integrate with third parties:

• Customer support. Many platforms use outsourced support teams or tools like Zendesk, Intercom, or Freshdesk. Support agents - whether in-house or outsourced - typically have access to account details, billing information, and sometimes file metadata.
• Email delivery. Transactional emails (password resets, sharing notifications) go through third-party providers like SendGrid, Mailgun, or Amazon SES. These services see your email address and often your name.
• Analytics and tracking. Usage data, session recordings, and behavioral analytics often flow to services like Google Analytics, Amplitude, or Mixpanel. This can include what you upload, when, and how you interact with the platform.
• AI processing. Platforms with face recognition, auto-tagging, or smart search send your photos to AI processing pipelines - sometimes operated by third parties like Google Cloud Vision, AWS Rekognition, or OpenAI.
• CDN and storage. Some platforms store your actual photos on third-party infrastructure. This is generally safe if done correctly, but it's another company that has access to your files.

Each of these integrations means your data exists on systems you didn't sign up for, managed by people you don't know, under security practices you can't verify.

Why this problem is getting worse

Three trends are accelerating supply chain breaches in 2026:

• AI features require more third parties. Every AI-powered feature - auto-tagging, search, background removal, face grouping - typically involves sending data to an external processing service. The rush to add AI features is expanding attack surfaces faster than security teams can audit them.
• BPO is growing. Companies are outsourcing more operations to cut costs. TELUS Digital alone handles support and content moderation for hundreds of companies. A single breach at a BPO firm cascades across every client.
• Credential reuse chains. The TELUS breach started with credentials from an entirely different breach. As more companies get breached, stolen credentials pile up and get tested against every service imaginable. One leaked password from 2024 can unlock systems in 2026.

How to evaluate a platform's vendor risk

You can't audit a company's entire vendor chain, but you can look for red flags and green flags:

• Check the privacy policy for third-party sharing. Look for specific mentions of data processors, subprocessors, or third-party service providers. GDPR-compliant platforms are required to disclose this. If the privacy policy is vague about who gets your data, that's a warning sign.
• Count the integrations. Platforms that brag about integrations with dozens of services are also platforms with dozens of potential breach points. Simpler is safer.
• Look for in-house support. If a platform outsources customer support to a BPO firm, your account details are accessible to people who don't work for the company you signed up for.
• Check for AI processing disclosures. Under the EU AI Act and Apple's App Store rules, platforms increasingly need to disclose when they send your data to AI services. If a platform has AI features but no disclosure about how they work, your data is going somewhere they're not telling you about.

Viallo keeps its vendor chain deliberately short. Photos are stored on Cloudflare in the EU. There's no outsourced customer support, no third-party AI processing, and no behavioral analytics. The fewer companies that touch your data, the fewer opportunities for a supply chain breach.

What to do right now

Whether you're a Crunchyroll user affected by this specific breach or just someone who stores photos and personal data online, here's what's actionable:

• Use unique passwords everywhere. The TELUS breach started with credentials reused across services. A password manager eliminates this risk entirely.
• Enable two-factor authentication. Even if your password leaks in a vendor breach, 2FA prevents unauthorized access to your account.
• Minimize the platforms that hold your data. Every account is a potential breach point. If you're not actively using a service, delete the account. Don't just stop logging in - actually delete it.
• Prefer platforms with minimal vendor chains. You can't eliminate third-party risk entirely, but you can choose services that minimize it. Fewer integrations means fewer ways your data can leak through someone else's systems.

Frequently Asked Questions