TELUS Digital breach: ShinyHunters claims 1PB data theft
TELUS Digital breach: ShinyHunters claims 1PB data theft | 2026
Executive Summary
TELUS Digital confirmed on March 12, 2026 that it is investigating unauthorized access to a limited number of systems after threat actors linked to ShinyHunters claimed they stole nearly 1 petabyte of data in a multi-month intrusion. TELUS said business operations remain fully operational and that it is working with forensics experts and law enforcement, but the full scope of affected customer data has not yet been confirmed publicly. The reported incident matters beyond one victim: as a global BPO provider, TELUS Digital sits on customer support, moderation, billing, and operational data for many organizations. For defenders, the immediate priority is to treat third-party tokens, SaaS integrations, and downstream secrets as potentially exposed and accelerate incident response actions now.
What happened?
- January 2026: BleepingComputer says it contacted TELUS about breach questions after receiving early information, but did not receive a response at that time.
- March 12, 2026: TELUS Digital confirmed it is investigating unauthorized access to a limited number of systems and said affected customers are being notified as appropriate.
- Claim by threat actor: ShinyHunters says it began extorting TELUS in February, demanding $65 million in exchange for not leaking data.
- Claim by threat actor: The attackers say the intrusion began with Google Cloud Platform credentials allegedly found in data stolen during the Salesloft Drift compromise.
- Claim by threat actor: After accessing a BigQuery environment, they allegedly used TruffleHog-style secret discovery to pivot into additional TELUS systems and exfiltrate more data.
- Unconfirmed: The attackers claim the total stolen volume is close to 1PB and that dozens of TELUS Digital customers may be impacted. That scale has not been independently verified.
Who is affected?
At minimum, the confirmed impact is to TELUS Digital systems. Based on the company’s role as a BPO and digital-services provider, potentially exposed data could include support workflows, call-center records, moderation operations, performance data, fraud workflows, and other customer-managed business processes.
If the attacker’s claims are accurate, the blast radius may extend to:
- Organizations outsourcing customer support or business operations to TELUS Digital
- TELUS consumer telecom records and associated call metadata
- Any environments connected through reused or recoverable credentials discovered during post-exfiltration secret hunting
Where exact customer scope is still unknown, defenders should assume risk is highest where BPO, CRM, cloud analytics, and identity integrations overlap.
Initial access and likely kill chain
The most important technical detail is not just the alleged data volume, but the access pattern. Reporting links the intrusion to credentials or tokens recovered from data tied to the broader Salesloft Drift ecosystem. That maps to a familiar cloud-centric kill chain:
- Credential acquisition: attackers obtain third-party credentials, tokens, or secrets from a separate upstream breach or compromised integration.
- Initial access: those credentials are used to access a TELUS cloud environment, reportedly Google Cloud Platform.
- Discovery and collection: the attackers enumerate data stores, including a reported BigQuery instance, and export high-value datasets.
- Secret harvesting: exfiltrated data is scanned for additional keys, passwords, or authentication material, enabling further pivoting.
- Privilege expansion and lateral movement: newly found credentials are used to access more systems, datasets, or tenant-connected services.
- Actions on objectives: large-scale data breach and extortion.
ATT&CK-oriented view
| Phase | Likely technique |
|---|---|
| Initial Access | Valid Accounts (T1078) |
| Discovery | Cloud Service Discovery (T1526) |
| Collection | Data from Cloud Storage/Object Repositories (T1530) |
| Credential Access | Unsecured Credentials (T1552) |
| Lateral Movement | Use of recovered secrets across connected systems |
| Exfiltration | Exfiltration to attacker-controlled infrastructure (T1567) |
| Impact | Extortion leveraging stolen data |
Indicators and detection priorities
This incident is a reminder that SaaS-connected breaches often look like legitimate use until telemetry is correlated. Prioritize detection across these log sources:
EDR / workload telemetry
- Review developer endpoints and admin jump hosts for secret-scanning tools, bulk export tooling, and suspicious archive creation
- Hunt for unexpected access to cloud admin CLIs, credential files, or service-account material
- Check for data staging behavior preceding outbound transfers
Identity and access logs
- Review sign-ins tied to service accounts, integration users, and recently dormant application identities
- Look for impossible travel, new IP ranges, TOR egress, and abnormal token usage
- Revoke or rotate any credentials that may have been stored in support tickets, CRM notes, code repositories, or analytics exports
Cloud / SaaS telemetry
- Review BigQuery, GCP audit logs, Salesforce event monitoring, and OAuth-connected app activity
- Hunt for unusually large exports, query-job bursts, or new API clients using legacy tokens
- Search for mass enumeration of support-case, account, user, or call-detail datasets
Network / proxy / DNS
- Identify outbound transfers to unusual cloud storage, anonymization infrastructure, or previously unseen developer tooling endpoints
- Correlate access from IPs associated with known TOR exit nodes or suspicious hosting providers referenced in related GTIG reporting
Example KQL pattern
SigninLogs
| where TimeGenerated > ago(14d)
| where AppDisplayName has_any ("Salesforce", "Google Cloud", "BigQuery", "Drift")
| summarize firstSeen=min(TimeGenerated), lastSeen=max(TimeGenerated), ips=make_set(IPAddress), apps=make_set(AppDisplayName) by UserPrincipalName
| join kind=leftouter (
AuditLogs
| where TimeGenerated > ago(14d)
| where OperationName has_any ("Add service principal", "Consent to application", "Update application", "Export")
| summarize ops=make_set(OperationName) by tostring(InitiatedBy.user.userPrincipalName)
) on $left.UserPrincipalName == $right.InitiatedBy_user_userPrincipalName
| where array_length(ips) > 3 or array_length(ops) > 0
Example pattern only; adapt to your identity and cloud schema.
Containment and remediation checklist
🔴 Immediate containment (0–24h)
- Disable or constrain any suspected compromised service accounts and integration identities
- Revoke OAuth grants and rotate API keys tied to Drift, CRM, cloud analytics, and support platforms
- Force credential resets where secrets may have been embedded in tickets, exports, or internal notes
- Audit BigQuery and other cloud export logs for mass retrieval activity
- Enable enhanced monitoring for TOR, VPS, and unusual API-user agents
- Preserve logs and snapshots for digital forensics
- Notify downstream customers whose environments or data may be exposed
- Validate whether archived support artifacts contain keys, passwords, or token material
🟠 Hardening (24–72h)
- Reduce scopes on third-party connected apps and remove unnecessary API access
- Enforce IP restrictions and conditional access for integration accounts
- Segment BPO operations from core telecom, analytics, and admin environments
- Create detections for bulk exports from support, CRM, and analytics tables
- Review secret management across tickets, knowledge bases, and developer repositories
- Inventory all systems reachable via reused credentials from upstream suppliers
🟡 Longer-term controls (1–4 weeks)
- Eliminate long-lived tokens where short-lived or workload identity options exist
- Implement continuous secret scanning across code, tickets, chat exports, and data lakes
- Introduce stronger data minimization for BPO workflows that aggregate multiple customer datasets
- Formalize supply-chain breach playbooks for CRM, support, and cloud integration partners
- Expand table-level monitoring and anomaly detection for high-volume data access
- Test crisis communications and customer-notification workflows for third-party incidents
Strategic analysis
This case matters because it combines three trends that keep compounding each other: third-party SaaS compromise, secret reuse, and concentration of customer data inside outsourcing providers. A BPO operator can become a force multiplier for attackers because one compromise can expose many companies’ support, identity, and operational workflows at once.
The reported TELUS path also matches a broader pattern seen in 2025 and 2026: data theft campaigns do not stop at the first environment. Attackers increasingly use exfiltrated datasets as a mining layer for credential theft, token recovery, and secondary access into cloud and enterprise platforms. That means defenders should not frame incidents like this as a single-tenant breach; they should treat them as possible credential relay events that propagate across connected business systems.
What happened at TELUS Digital?
TELUS Digital confirmed it is investigating unauthorized access to a limited number of systems after reporting linked the incident to ShinyHunters extortion claims.
Has the 1PB theft claim been verified?
No. The reported data volume has not been independently confirmed publicly.
Why is this incident significant?
Because TELUS Digital is a BPO provider, one breach could affect multiple customers and multiple types of operational data.
What should defenders do first?
Revoke and rotate third-party tokens, investigate large exports, and review connected SaaS and cloud platforms for reuse of exposed secrets.
Is the intrusion still ongoing?
Unknown publicly. TELUS says it secured systems and remains operational, but organizations should validate exposure rather than assume containment is complete.
Published: 2026-03-12 Author: Invaders Cybersecurity Classification: Public / TLP:CLEAR Reading Time: 7 minutes