Telus Digital Confirms Security Breach as ShinyHunters Claim 1 Petabyte of Stolen Data

Canadian business process outsourcing giant Telus Digital has confirmed it suffered a security incident after the extortion group ShinyHunters claimed to have stolen nearly 1 petabyte (1,000 TB) of data during a multi-month breach that went undetected from late 2025 into March 2026.

What Happened

The breach was not a traditional perimeter exploit. Attackers obtained Google Cloud Platform (GCP) credentials that were originally harvested during a 2025 supply-chain attack on Salesloft Drift, which exposed OAuth tokens belonging to Telus Digital service accounts.

Using those credentials, ShinyHunters accessed a large BigQuery instance and then used automated secret-scanning tools — specifically trufflehog — to scan the exfiltrated datasets for additional hardcoded secrets, allowing lateral movement into internal source code repositories and deeper production systems.

The breach is described as a "multi-month" event, with unauthorized access dating back to late 2025, before being detected and publicly confirmed on March 12, 2026.

Scope of the Stolen Data

ShinyHunters claims the exfiltrated data includes material for approximately 28 major global brands that Telus Digital services as a BPO provider:

Telus Digital has publicly acknowledged "unauthorized access to a limited number of systems" while stating that its systems remain "fully operational." The company says impacted BPO customers are being notified as the forensic investigation progresses.

Extortion Demand

ShinyHunters demanded $65 million to prevent public release of the stolen data. Telus Digital has reportedly not engaged in ransom negotiations. Law enforcement and third-party forensic firms are involved in the ongoing investigation.

Why This Is Worse Than a Standard Breach

Telus Digital acts as a trusted BPO intermediary for dozens of enterprise clients. A compromise of their GCP environment effectively turns Telus into a trusted pathway into the support infrastructure, AI workflows, and customer data of every company they serve.

The attack also illustrates a dangerous credential hygiene failure: secrets stolen in a 2025 supply-chain incident remained valid and exploitable for months into 2026, with no evidence of a systematic rotation policy being enforced.

Indicators of Compromise & Remediation

Organizations using Telus Digital or similar BPO providers should treat this as a potential exposure event and prioritize the following:

Immediate Actions

Secret Rotation

# Priority Checklist
- Rotate all GCP / AWS Service Account keys
- Invalidate and reissue Salesforce OAuth tokens
- Reset all secrets identified in BigQuery or Cloud Storage audit logs
- Revoke any third-party BPO-linked service account credentials

Secret Scanning

Run trufflehog or gitleaks across internal documentation, support-case archives, and any systems accessible to BPO environments to identify leaked plaintext credentials before attackers do.

trufflehog filesystem /path/to/internal/docs --only-verified

Detection & Monitoring

Hardening

• Enforce MFA on all third-party integrations and BPO-linked service accounts — service accounts should use Workload Identity Federation rather than static key files
• Apply VPC Service Controls to isolate BigQuery from general BPO access environments
• Implement data loss prevention (DLP) policies on Cloud Storage and BigQuery to alert on bulk exports exceeding defined thresholds

YARA Detection Rule

For environments scanning for TruffleHog-related tooling abuse or indicators associated with this intrusion pattern:

rule ShinyHunters_CloudCred_Harvesting {
    meta:
        description = "Detects TruffleHog secret scanning patterns in process memory or disk artifacts"
        author = "4nuxd.one"
        date = "2026-03-14"
    strings:
        $s1 = "trufflehog" ascii nocase
        $s2 = "gitleaks" ascii nocase
        $s3 = "GOOGLE_APPLICATION_CREDENTIALS" ascii
        $s4 = "service_account" ascii
        $s5 = "bigquery.googleapis.com" ascii
    condition:
        3 of ($s*)
}

Key Takeaways

• Supply-chain credentials have a long shelf life — tokens stolen in one breach stay active until explicitly rotated. This attack exploited credentials that were nearly a year old.
• BPO environments expand your attack surface — any third party with access to your cloud resources is a potential pivot point. Treat them as an external threat vector.
• BigQuery is not inherently safe — large-scale cloud analytics environments with broad service account permissions represent a high-value exfiltration target, not just a storage cost concern.
• Secret scanning is a mandatory practice — both internally and for data shared with BPO partners.

The investigation is ongoing. Organizations with historical or current Telus Digital BPO relationships should contact their account representatives for breach scope confirmation and initiate credential rotation regardless of official notification status.