Today’s Menu (30-second skim)
- Crunchyroll breach: A hacker stole 6.8 million users’ customer support records by compromising one outsourced support agent
- Torg Grabber malware: New infostealer targets 728 crypto wallets and 103 password manager extensions — spreading via a clipboard trick
- European Commission cloud hack: A threat actor breached the EU’s Amazon cloud environment and claims to have stolen 350 GB of government data
1) Crunchyroll breach: 6.8 million users’ support records stolen through one outsourced employee
What happened (plain English): Crunchyroll — the popular anime streaming service used by millions — is investigating a breach in which a hacker stole approximately 8 million customer support tickets containing data on 6.8 million unique email addresses. The attacker didn’t break into Crunchyroll directly. Instead, they used malware to infect the computer of a single outsourced support agent at a third-party company called Telus International, which handles Crunchyroll’s customer service. With that one employee’s credentials, the hacker gained access to Crunchyroll’s support tools — including Zendesk, Google Workspace, and Slack — and downloaded years of customer service records. The stolen data includes names, usernames, email addresses, IP addresses, and the full contents of support conversations. Credit card numbers were not systematically exposed, though a small number of customers had typed card details into tickets. The hacker demanded $5 million from Crunchyroll, received no response, and has threatened to release the data publicly.
Why it matters to you: If you have ever had a customer service conversation with Crunchyroll — about billing, account access, or anything else — your name, email, and potentially personal details you shared in that ticket may now be in criminal hands. Even without passwords or payment data, this information is more than enough for targeted phishing: imagine getting an email that references your exact support issue, from an address that looks like Crunchyroll, asking you to verify your account. This breach also reveals a growing weak point across all large companies: their outsourced support vendors. One infected laptop at a BPO firm can unlock the data of millions of customers at multiple companies simultaneously.
How to protect yourself (do this):
- If you have a Crunchyroll account, be on high alert for any emails, texts, or calls claiming to be from Crunchyroll support — especially ones that reference a past issue you actually had. Go directly to the Crunchyroll app or site instead of clicking links.
- Change your Crunchyroll password and enable two-factor authentication if you haven’t already.
- If you use the same password elsewhere, change it on every site where it’s been reused — now is a good time to get a password manager.
- Check Have I Been Pwned at haveibeenpwned.com to see if your email appears in this or other breaches.
Published: March 22, 2026
Source: BleepingComputer
2) Torg Grabber: new malware steals crypto wallets and password manager extensions — spreads via a clipboard trick
What happened (plain English): Security researchers at Gen Digital (the company behind Norton, Avast, and AVG) have identified a rapidly evolving malware called Torg Grabber that targets 850 browser extensions — 728 of them for cryptocurrency wallets — plus 103 extensions for password managers and two-factor authentication tools. It also targets browsers, email clients, VPN apps, Discord, Steam, and Telegram. Torg Grabber spreads through a technique called “ClickFix”: victims are shown a fake error message or CAPTCHA on a website and told to paste a command into their computer to “fix” it. Clicking “copy” actually silently loads a malicious command into your clipboard, and when you paste it, the malware installs itself. Once running, it can steal every saved password and cookie from your browser, drain crypto wallets, take screenshots, and steal files from your Desktop and Documents folders. The malware also bypasses Chrome’s newest password-protection technology. It has been actively developed since December 2025 with new criminal operators joining weekly.
Why it matters to you: You don’t have to download a suspicious file or click a sketchy email link to get infected. The ClickFix trick happens on ordinary-looking websites — fake CAPTCHA pages, fake error screens, fake “software update required” popups — where you’re asked to copy-paste something harmless-looking into your computer. If you have any cryptocurrency (including small amounts in browser wallets like MetaMask or Coinbase Wallet), browser-saved passwords, or authenticator extensions, this malware is designed specifically to empty them. The fact that it’s being sold to an expanding group of criminals means it’s actively being deployed in new campaigns every week.
How to protect yourself (do this):
- Never copy and paste commands into your computer from a website, popup, or error message — even if it claims to be a required fix or CAPTCHA. Legitimate websites do not ask you to paste things into a terminal or run commands.
- If you hold any cryptocurrency in a browser extension wallet (MetaMask, Coinbase Wallet, Phantom, etc.), use a hardware wallet for any significant amounts — browser extension wallets are high-value targets.
- Move your most important account passwords (banking, email, healthcare) into a dedicated password manager app rather than relying solely on browser-saved passwords.
- Enable two-factor authentication (2FA) on your email and banking accounts — if passwords are stolen, 2FA stops the attacker from logging in.
Published: March 26, 2026
Source: BleepingComputer
3) European Commission cloud breach: hacker claims 350 GB of EU government data stolen via Amazon cloud
What happened (plain English): The European Commission — the executive governing body of the European Union — is investigating a security breach after a threat actor gained access to at least one of its Amazon Web Services cloud accounts. The attacker contacted journalists and claimed to have stolen over 350 gigabytes of data, including multiple databases and an email server used by Commission employees. The EU’s cybersecurity incident response team detected the breach quickly, and Amazon confirmed its own infrastructure was not compromised. The attacker says they do not plan to extort the Commission but intend to leak the data online at a later date. This follows a separate January 2026 breach of the Commission’s mobile device management system, which was linked to attacks on other European government institutions.
Why it matters to you: This may sound like a government IT story far removed from everyday life — but it isn’t. Cloud accounts at major institutions are breached the same ways consumer accounts are: weak credentials, reused passwords, phishing, or misconfigured access controls. The data stolen from these environments often ends up in the same criminal marketplaces as consumer breach data. More broadly, this is a reminder that even organizations with professional IT teams and legal compliance requirements get hacked. The gap between “we have security software” and “we are actually secure” can be enormous. The lesson for regular people: treat your own cloud accounts (Google Drive, iCloud, OneDrive, Dropbox) with the same skepticism you’d apply to a bank — because they often hold just as much sensitive information.
How to protect yourself (do this):
- Use a strong, unique password on your cloud storage accounts (Google Drive, iCloud, Dropbox, OneDrive). If you use the same password across multiple services, change them.
- Enable two-factor authentication on all cloud accounts — this is the single most effective thing you can do to stop account takeovers.
- Review what’s in your cloud storage periodically: old tax returns, passport scans, financial statements, and health documents stored in cloud folders are exactly what attackers look for.
- Be suspicious of any emails that claim to be from cloud services asking you to “re-verify” your account or “review unusual activity” — go directly to the app rather than clicking email links.
Published: March 28, 2026
Source: BleepingComputer
👏 Grandma’s Firewall
One simple rule, every week. Print it. Share it. Make it stick.
This week’s rule: If a website tells you to copy and paste something into your computer to “fix” a problem — don’t. That’s how malware gets in.
Real websites, real software updates, and real error messages do not require you to open a terminal window or paste commands. If you’re ever asked to do that by a popup, a CAPTCHA, or an error page, close the browser tab immediately.
Script 1 — What to say when you see a “paste this to fix it” popup:
“I’m not pasting anything into my computer. Real software doesn’t need me to do that. I’m closing this tab.”
Script 2 — What to tell a family member who just pasted a command:
“Stop what you’re doing. Disconnect from Wi-Fi right now. Don’t type anything else. Let me help you from a different device.”
Forward this to one person who might not know that “paste this to fix it” is almost always a scam. That’s this week’s mission.
— Philip | Human In[Security]
![Human In[Security] Die-cut stickers](https://humaninsecurity.com/wp-content/uploads/2026/01/die-cut-stickers-satin-6x6-front-697d1d26150e0-300x300.jpg)
![Human Network In[]Security Cotton Heritage MC1082 I Men's Premium Short Sleeve Tee](https://humaninsecurity.com/wp-content/uploads/2026/01/cotton-heritage-mc1082-i-mens-premium-short-sleeve-tee-vintage-white-front-697d1df2a58b4-300x300.jpg)
![Official Human In[Security] Unisex Hoodie](https://humaninsecurity.com/wp-content/uploads/2026/01/cotton-heritage-m2580-i-unisex-premium-pullover-hoodie-carolina-blue-front-697d24c26e85b-300x300.jpg)