One Credential, One Petabyte: Inside the TELUS Digital Breach

ShinyHunters did not hack TELUS Digital. They walked in through a door that someone else had already unlocked — and then spent months quietly draining nearly one petabyte of data before anyone noticed.

On March 12, 2026, TELUS Digital confirmed what BleepingComputer had been reporting since January: the company's systems had been accessed without authorization. The statement was carefully worded — "a limited number of our systems" — but the attacker's own claims told a very different story. ShinyHunters, the extortion group behind the intrusion, alleged it had exfiltrated close to one petabyte of data over a breach that had been running silently for months. The full scope has not yet been independently verified, but the categories of data involved — call records, source code, FBI background checks, voice recordings, and client data spanning at least 28 major companies — place this among the largest confirmed data thefts in recent memory by sheer volume.

What makes this breach worth studying carefully is not the size. It is the method. There was no zero-day exploit. There was no brute-force attack against TELUS infrastructure. The entire operation traced back to a single set of credentials that TELUS Digital never knew had been stolen.

How the Attack Actually Started

To understand the TELUS Digital breach, you have to go back to a different company in a different year. In 2025, threat actors compromised Salesloft's GitHub environment and stole OAuth tokens from the Drift chatbot integration. Drift is a customer-facing chat and sales platform that many enterprise companies connect directly to their Salesforce CRM. Those stolen OAuth tokens gave the attackers the ability to query and export Salesforce data belonging to hundreds of organizations that used Drift as part of their customer engagement stack.

Mandiant, now part of Google Cloud, investigated the Salesloft Drift compromise and reported that the stolen Salesforce data covered at least 760 companies. Inside that enormous dataset were customer support tickets, internal communications, and — critically — credentials and authentication tokens that employees had shared or embedded in support cases. This is not an uncommon practice. Developers and administrators regularly paste API keys, access tokens, and cloud credentials into support tickets when troubleshooting. Once those tickets were in the stolen Salesforce export, every secret embedded in them was exposed.

ShinyHunters scanned through that haul and found Google Cloud Platform credentials belonging to TELUS Digital.

The Credential Cascade: From Drift to BigQuery

Armed with the GCP credentials, ShinyHunters accessed multiple TELUS Digital systems. Their first confirmed target was a large BigQuery instance — Google's cloud-based data warehouse platform used for storing and analyzing massive datasets. The attackers downloaded that data. Then they did something that transformed a single foothold into a sprawling compromise.

They ran trufflehog against the data they had just stolen.

Trufflehog is an open-source security tool used by legitimate penetration testers and security engineers to scan repositories, code bases, and data dumps for embedded secrets — API keys, passwords, authentication tokens, and other credentials that developers have accidentally left in plaintext. ShinyHunters repurposed it offensively, scanning the downloaded BigQuery data to extract every credential hidden within it. Each credential they found opened another door into TELUS Digital's environment. Each new system they accessed contained more data, and potentially more credentials still. The attackers moved laterally through the infrastructure for months, methodically expanding their access before detection.

"The hallmarks of this breach — the multi-month dwell time, massive data volumes, and delayed detection — suggest the abuse of legitimate access rather than overt technical exploitation." — Fritz Jean-Louis, principal cybersecurity advisor, Info-Tech Research Group (CSO Online, March 2026)

The pattern Jean-Louis describes is precisely what makes this class of breach so difficult to detect. When attackers use valid credentials to authenticate to legitimate cloud services and query data through authorized API calls, the activity looks normal. No malware is deployed. No known exploit signature fires. The only indicators are behavioral — unusual query volumes, data downloads at odd hours, access from unexpected IP addresses — and those require mature detection engineering to catch reliably. BleepingComputer reported that the breach was first detected in January 2026, but TELUS did not respond to media inquiries at that time. The company's formal confirmation came in March, after ShinyHunters had been inside the environment for a significant period.

What Was Stolen — and Who It Affects

TELUS Digital is not a consumer-facing brand. It is the business process outsourcing and digital services arm of TELUS Corporation, one of Canada's largest telecommunications companies. TELUS reacquired full control of the unit in September 2025 after TELUS Digital's share price had declined sharply as a publicly traded entity. The division provides customer support, content moderation, AI data services, fraud detection, and call center outsourcing to companies across multiple industries. Because BPO providers centralize the customer data of many clients in a single environment, a breach at the BPO layer can expose data belonging to dozens of organizations simultaneously.

ShinyHunters' claimed haul reflects that structure. On the BPO side, the stolen data allegedly covers customer support records, call center operations, agent performance metrics, AI-driven customer support tooling, fraud detection infrastructure, and content moderation systems used by client companies. The group also claims to have obtained source code, financial records, Salesforce data, and voice recordings of support calls. Reuters reported that the stolen material included FBI background check information — the highly sensitive personal data submitted when employees undergo security clearance or pre-employment verification processes.

The breach also extended beyond the BPO division. TELUS Digital confirmed to BleepingComputer that it does not believe the intrusion reached TELUS Corporation's other business units, such as its broadband provider, wireless carrier, and health technology divisions. However, samples of data shared with BleepingComputer confirmed that call records from TELUS's consumer fixed-line telecommunications operations were included. Those records contained metadata for individual calls: time, duration, originating number, destination number, and call quality indicators. Reuters placed the floor on confirmed stolen data at approximately 700 terabytes, while ShinyHunters' own claim stands at close to one petabyte.

At least 28 major client companies are alleged to be affected. Independent verification of the full client list and data scope remains pending as the investigation continues.

"TELUS Digital is investigating a cybersecurity incident involving unauthorized access to a limited number of our systems. Upon discovery, we took immediate steps to address the unauthorized activity and secure our systems against further intrusion." — TELUS Digital official statement (TELUS Digital, March 2026)

ShinyHunters: A Pattern of Escalating Scale

ShinyHunters is not a new group. The name first appeared in cybercrime forums around 2019 and 2020, when the group began selling large stolen databases. Their early campaigns targeted consumer platforms for credential theft and data resale: AT&T wireless subscriber data in 2021 (70 million records claimed), Wattpad in 2020 (268 million records), and dozens of smaller operations. The name is believed to derive from “shiny hunting” in the Pokemon video game franchise — the pursuit of rare variants through persistent, methodical effort. The metaphor has proven apt.

The group's operational profile shifted meaningfully in 2024. Rather than targeting individual consumer platforms, ShinyHunters pivoted toward cloud data platforms that sit at the center of enterprise infrastructure. The 2024 Snowflake campaign was the signal breach. Attackers used credentials stolen through infostealer malware to access Snowflake customer instances that lacked multi-factor authentication. The victims included Ticketmaster (560 million records), Santander Bank (30 million records), and Neiman Marcus. No Snowflake platform vulnerability was exploited. Every breach in that campaign came down to stolen credentials and absent MFA.

In June 2025, French authorities announced the arrest of four alleged ShinyHunters members in a coordinated law enforcement action. The group continued operating. By August 2025, ShinyHunters had merged operational infrastructure with Scattered Spider and Lapsus$, forming a looser collective that Google's Threat Intelligence team tracks under the designations UNC6040 and UNC6240. The merged group launched voice phishing campaigns against Salesforce environments starting in May 2025, impersonating IT support staff to trick employees into connecting malicious applications to their Salesforce portals. That campaign ultimately affected 300 to 400 companies. In parallel, ShinyHunters weaponized Mandiant's AuraInspector tool — a legitimate Salesforce security auditing utility released in January 2026 — modifying it to automate mass extraction of customer data from misconfigured Salesforce Experience Cloud sites. The TELUS Digital breach was running concurrently with all of this activity.

"The biggest risk today is not that attackers are getting better at breaking in; it's that they're getting better at being trusted." — Fritz Jean-Louis, Info-Tech Research Group (CSO Online, March 2026)

The Krebs on Security analysis of ShinyHunters' extortion infrastructure in late 2025 documented a victim shaming blog where more than three dozen Fortune 500 companies were listed as having Salesforce data stolen, with specific breach dates ranging between May and September 2025. Toyota, FedEx, Disney, and UPS were among the named entries. The TELUS Digital breach sits within this broader operational tempo — one campaign among many running simultaneously, each using a different entry vector but converging on the same model: steal data, demand ransom, publish if unpaid.

The $65 Million Demand TELUS Refused

ShinyHunters demanded $65 million USD from TELUS in exchange for deleting the stolen data and not publishing it. TechRadar confirmed the figure and reported that TELUS is not engaging with the extortionists. SC World confirmed the same: TELUS rejected the ransom demand.

That decision aligns with guidance from the FBI and CISA, both of which advise against paying ransoms on the grounds that payment does not guarantee data deletion, funds further criminal operations, and marks the victim as willing to pay — potentially triggering re-extortion. The Globe and Mail reported that cybersecurity experts specifically cautioned against paying this group, noting that ShinyHunters and its associated Com collective members "fundamentally don't understand what made the Russian ransom business model work," and that victims who have paid have historically not received what was promised.

Refusing to pay leaves the question of data exposure unresolved. If ShinyHunters follows its established pattern, the stolen data will be published on dark web forums or sold to other threat actors. That downstream risk is now the primary concern for every company whose data sits in that alleged one-petabyte haul.

Key Takeaways

1. Third-party credential exposure is a direct attack surface. The TELUS Digital breach began at Salesloft, not at TELUS. GCP credentials embedded in support tickets became the initial access vector. Organizations need to treat credentials shared through any third-party system — CRMs, ticketing platforms, chat tools — as potentially compromised, and rotate them accordingly.
2. Offensive use of defensive tools is now standard practice. ShinyHunters used trufflehog, a legitimate open-source secret-scanning tool, to extract credentials from stolen data and pivot into additional systems. Detection strategies that focus on known malware signatures will miss this class of attack entirely. Behavioral anomaly detection around data access volumes and lateral movement is required.
3. BPO environments concentrate multi-client risk. A single breach at a business process outsourcer can expose data belonging to dozens of client companies simultaneously. Organizations that outsource customer support, call center operations, or data processing should conduct rigorous third-party security assessments and verify that their data is adequately segmented within the vendor's environment.
4. Multi-month dwell time is the real threat multiplier. The damage in this breach was not caused in a single session. It accumulated over months of quiet, authorized-looking activity. Incident response plans that assume prompt detection are not adequate for this class of intrusion. Detection engineering for slow, low-noise exfiltration campaigns requires investment that many organizations have not yet made.
5. Paying the ransom does not solve the problem. TELUS refused the $65 million demand. Security experts and law enforcement guidance support that decision. ShinyHunters' track record with victims who have paid does not support the premise that payment results in data deletion.

The TELUS Digital breach is not a story about a sophisticated zero-day exploit or a novel attack technique. It is a story about credential hygiene, third-party risk, and the sustained patience of a financially motivated threat group that has been operating at scale for six years. The attack chain that ended with nearly one petabyte of data leaving TELUS systems began with a single credential sitting in a support ticket at a different company entirely. That is the vulnerability that needs to be solved — and it does not require a new security tool. It requires a different relationship with the secrets that flow through every system an organization touches.