When One Breach Unlocks Another: The Telus Digital Attack and the ShinyHunters Supply Chain

A stolen cloud credential, a credential-scanning tool, and months of undetected access. How ShinyHunters turned a third-party chatbot breach into a petabyte-scale attack on one of North America's largest business process outsourcers — and what it means for every organization that relies on vendors to handle their data.

On March 12, 2026, Telus Digital confirmed what the cybersecurity community had already begun discussing: the company had suffered a major breach at the hands of ShinyHunters, a prolific extortion group whose methods have evolved from simple credential stuffing into something considerably more dangerous. According to reporting by BleepingComputer's Lawrence Abrams, the group claims to have exfiltrated close to one petabyte of data from Telus Digital's systems over a period of several months, covering everything from call center records and agent performance ratings to source code, FBI background check results, and voice recordings of support calls.

What makes this breach notable is not merely its scale. It is the path the attackers took to get there. ShinyHunters did not target Telus Digital directly. They found a door left open by a previous attack on an entirely different company, walked through it quietly, and spent months helping themselves to one of the largest caches of business process outsourcing data ever reported.

The Anatomy of the Attack

The chain of events began, according to ShinyHunters themselves, with the Salesloft Drift breach of August 2025. Salesloft, a sales engagement platform, used Drift as an integrated chatbot tool. Attackers — later tracked by Google's Threat Intelligence team as UNC6395 — compromised Salesloft's GitHub environment and stole OAuth tokens tied to the Drift integration. Those tokens provided access to Salesforce customer data belonging to an estimated 760 organizations.

Inside that enormous haul of Salesforce data, ShinyHunters found something specific: Google Cloud Platform credentials belonging to Telus Digital. This discovery illustrates one of the defining shifts in modern threat actor methodology. Rather than attacking a hardened target from the front, the attackers leveraged data stolen from a peripheral vendor to gain valid access credentials. No zero-day exploit was required. No brute-force attack was mounted against Telus infrastructure. The attackers simply logged in.

Once inside Telus Digital's Google Cloud environment, ShinyHunters accessed a large BigQuery database containing operational data. They then employed TruffleHog, an open-source credential-scanning tool commonly used in legitimate security audits, to sweep the downloaded data for additional embedded passwords, access tokens, and authentication secrets. Each credential they found opened additional doors. The attackers used this technique to move laterally across multiple Telus systems, quietly exfiltrating data for months before the company detected the intrusion.

"The hallmarks of this breach, like the multi-month dwell time, massive data volumes, and delayed detection, suggest the abuse of legitimate access rather than overt technical exploitation." — Fritz Jean-Louis, Principal Cybersecurity Advisor, Info-Tech Research Group (CSO Online, March 2026)

What Was Taken

ShinyHunters claims the total volume of stolen data approaches one petabyte. Some independent reports place the floor at 700 terabytes. BleepingComputer, which reviewed text files describing the attack and received sample data from the threat actor, confirmed that call-center records were among the materials shared. The full scope of the theft has not been independently verified.

On the business process outsourcing side, the stolen data allegedly covers:

• Customer support tickets and call center operations data
• Agent performance metrics and ratings
• AI-driven customer support tooling and content moderation infrastructure
• Fraud detection and prevention system data
• Source code spanning multiple Telus business divisions
• Financial records and Salesforce data
• FBI background check results for employees
• Voice recordings of customer support calls

The breach reportedly extends beyond Telus Digital's outsourcing operations. ShinyHunters claims the stolen dataset includes call records from Telus's consumer telecommunications division, including call metadata such as time, duration, originating number, receiving number, and call quality indicators. Reuters separately reported that the stolen data spans multiple Telus business divisions, though Telus Digital stated it does not believe the breach affected its wireless carrier, broadband provider, or health-technology units.

The Extortion Demand and Telus Digital's Response

ShinyHunters told BleepingComputer they began extorting Telus in February 2026, demanding $65 million in exchange for not releasing or selling the stolen data. According to sources familiar with the situation, Telus did not engage with the threat actors. After it became clear that Telus was not negotiating, ShinyHunters provided BleepingComputer with further details about the breach along with data samples.

Telus Digital confirmed the breach in a statement provided to multiple outlets on March 12, 2026:

"TELUS Digital is investigating a cybersecurity incident involving unauthorized access to a limited number of our systems. Upon discovery, we took immediate steps to address the unauthorized activity and secure our systems against further intrusion. All business operations within TELUS Digital remain fully operational, and there is no evidence of disruption to customer connectivity or services. As part of our response, we have engaged leading cyber forensics experts to support our investigation, and we are working with law enforcement." — Telus Digital (BleepingComputer, March 12, 2026)

The company stated it was cooperating with law enforcement, had implemented additional security measures, and would notify affected customers as the investigation progressed. Telus Digital did not confirm the one-petabyte figure and a company spokesperson declined to comment on that claim when asked directly by CSO Online.

Who Are ShinyHunters?

ShinyHunters emerged in 2020, taking their name from the concept of rare "shiny" variants in the Pokemon franchise. In the years since, the group has become one of the most documented and consequential cybercrime collectives in the threat landscape, credited with more than 90 successful attacks affecting hundreds of millions of individuals worldwide.

Their early operations focused on stealing and selling databases from poorly secured platforms. Over time the group evolved toward targeting cloud infrastructure, abusing OAuth tokens, exploiting third-party vendor integrations, and conducting voice phishing campaigns in which members impersonate IT support personnel to harvest single sign-on credentials from employees.

The group's highest-profile operation before Telus was the 2024 Snowflake campaign. Attackers linked to ShinyHunters exploited stolen credentials obtained through infostealer malware to access the Snowflake cloud environments of at least 160 organizations. Victims included AT&T, Ticketmaster/Live Nation, Santander Bank, Neiman Marcus, and Advance Auto Parts. The Ticketmaster breach alone affected an estimated 560 million customers, with the data listed on a dark web forum for $500,000.

In 2025, Google's Threat Intelligence team tracked a campaign designated UNC6040 in which ShinyHunters targeted Salesforce customers using social engineering. Confirmed victims included Google, Cisco, Adidas, Qantas, Allianz Life, LVMH subsidiaries including Louis Vuitton and Dior, Pandora, and Farmers Insurance Group. Law enforcement has pursued the group's members: Sebastien Raoult, a French programmer linked to the group, was sentenced in January 2024 to three years in prison and ordered to pay back $5 million. In June 2025, French authorities arrested four additional members in coordinated operations. Despite these actions, the group's operations have continued, consistent with a model in which the ShinyHunters brand operates across a network of loosely affiliated individuals rather than a single centralized organization.

Why BPO Providers Are High-Value Targets

Business process outsourcing firms occupy a structurally exposed position in the data security landscape. They handle billing, customer authentication, support queues, call records, and internal tooling on behalf of dozens or hundreds of client organizations simultaneously. A single successful breach of a BPO provider does not expose one company's data. It exposes the data of every client served through that environment.

Telus Digital provides customer support operations, content moderation, fraud detection, and AI-driven data processing services to organizations worldwide. Analysts at Bitdefender described this dynamic as the core risk of BPO incidents: a single compromise can expose customer support artifacts, internal tooling clues, and downstream authentication pathways of multiple organizations at once.

The Telus Digital breach also illustrates a pattern security researchers call credential chaining: using stolen data from one breach to locate credentials enabling access to a second, unrelated target. ShinyHunters used the Salesloft Drift breach to find Telus GCP credentials. They then ran TruffleHog against data extracted from Telus to find further credentials inside that environment. Each layer of access funded the next.

The Salesloft Drift Connection

The initial vector traces back to a campaign Google's Threat Intelligence team documented in August 2025. Attackers designated as UNC6395 compromised Salesloft's GitHub environment and extracted OAuth tokens from the Drift chatbot integration. Between August 8 and 18, 2025, those tokens were used to access Salesforce customer organizations belonging to hundreds of companies, systematically exporting CRM data and hunting for embedded credentials including AWS access keys and API tokens.

Support tickets within the exported Salesforce data reportedly contained credentials, authentication tokens, and other secrets that had been pasted into customer service interactions — a common and persistently underestimated security risk. Telus Digital's Google Cloud Platform credentials were among the materials recovered from this dataset. ShinyHunters identified those credentials and used them to initiate access to Telus systems, likely in late 2025, remaining undetected through January and February 2026 while conducting extortion outreach.

BleepingComputer noted it had been informed of the breach in January 2026 and had contacted Telus at that time, but received no response before the company's public confirmation in March.

Key Takeaways

1. Third-party vendor risk is not theoretical. Telus Digital was not the direct target of an attack. Their credentials were harvested from a vendor's breach, then used months later. Organizations must audit what credentials their vendors hold and enforce short-lived, tightly scoped access tokens.
2. Multi-factor authentication stops credential stuffing cold. The Snowflake campaign — and likely this one — succeeded because stolen credentials alone were sufficient. Where MFA is absent, valid credentials provide immediate, uncontested access.
3. Attackers scan your stolen data for more credentials. TruffleHog is open-source and takes minutes to run. Any secrets embedded in support tickets, log files, configuration exports, or code repositories are fair game once data leaves a secured environment.
4. BPO breaches multiply the blast radius. A breach at a single outsourcer can expose the data of dozens of downstream clients simultaneously. Organizations using BPO providers for sensitive operations should assess their contractual data security requirements and incident notification rights.
5. Multi-month dwell time is the tell. The attackers operated undetected for months. Extended dwell time is a signature of credential-based intrusions. Behavioral baselines, data egress monitoring, and cloud access anomaly detection are required to catch this class of attacker.

The Telus Digital investigation is ongoing as of March 18, 2026. ShinyHunters, having been publicly identified and having received no ransom payment, has an established pattern of publishing or selling data when demands go unmet — the group leaked data from SoundCloud and Crunchbase in January 2026 under similar circumstances. Whether the Telus data follows the same path, and whether any of the 28 unnamed client organizations face their own disclosure obligations, will determine how much broader this incident ultimately becomes.