Telus Digital Confirms Major Data Breach After ShinyHunters Claims 1 Petabyte Theft
Canadian business process outsourcing (BPO) provider Telus Digital has confirmed a security incident after the threat group ShinyHunters claimed to have stolen nearly 1 petabyte of data in a prolonged breach. Telus Digital, a subsidiary of telecom giant Telus, offers customer support, AI data services, content moderation, and other outsourced operations to global clients, making it a prime target for attackers seeking broad access to corporate and customer data.
The breach was first reported in January, when BleepingComputer contacted Telus but received no response. On June 10, Telus acknowledged the incident, stating it had detected unauthorized access to a limited number of systems and had taken immediate steps to secure them. The company confirmed that business operations remain unaffected, with no disruption to customer connectivity or services. Telus has engaged cybersecurity forensics experts and is collaborating with law enforcement while notifying impacted customers as the investigation progresses.
ShinyHunters, a prolific extortion group, claims the breach began after obtaining Google Cloud Platform credentials from data stolen in the 2023 Salesloft Drift breach. That incident involved the theft of Salesforce data from 760 companies, including support tickets containing credentials later exploited to infiltrate additional platforms. Using these credentials, ShinyHunters accessed Telus systems, including a BigQuery instance, and used tools like TruffleHog to extract further credentials, enabling deeper access.
The stolen data allegedly includes:
- BPO-related records (customer support logs, agent performance metrics, AI tools, fraud detection systems, and content moderation data)
- Source code, FBI background checks, financial information, and Salesforce data
- Voice recordings of support calls for multiple companies
- Telus consumer telecom data, including call records (timestamps, durations, phone numbers, and metadata)
ShinyHunters shared a list of 28 well-known companies allegedly impacted, though these claims remain unverified. The group attempted to extort Telus in February, demanding $65 million to prevent data leaks, but the company did not engage.
ShinyHunters has been linked to numerous high-profile breaches, including Google, Cisco, PornHub, and Match Group, often targeting Salesforce and cloud SaaS environments. The group has also conducted voice phishing (vishing) attacks, tricking employees into revealing credentials and MFA codes to hijack SSO accounts for platforms like Microsoft 365, Google Workspace, and Slack. Recent tactics include device code vishing to obtain Microsoft Entra authentication tokens.
TELUS Digital cybersecurity rating report: https://www.rankiteo.com/company/telus-digital
"id": "TEL1773332910",
"linkid": "telus-digital",
"type": "Breach",
"date": "2/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': 'Multiple global clients (28 '
'companies allegedly impacted)',
'industry': 'Telecommunications, Customer Support, AI '
'Data Services, Content Moderation',
'location': 'Canada',
'name': 'Telus Digital',
'type': 'Business Process Outsourcing (BPO) Provider'}],
'attack_vector': 'Compromised credentials (Google Cloud Platform)',
'customer_advisories': 'Notifications in progress',
'data_breach': {'data_exfiltration': 'Yes (1 petabyte stolen)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (PII, financial data, voice '
'recordings, telecom metadata)',
'type_of_data_compromised': ['BPO-related records',
'Source code',
'FBI background checks',
'Financial information',
'Salesforce data',
'Voice recordings',
'Consumer telecom data (call '
'records, metadata)']},
'date_detected': 'January',
'date_publicly_disclosed': '2024-06-10',
'description': 'Canadian BPO provider Telus Digital confirmed a security '
'incident after the threat group ShinyHunters claimed to have '
'stolen nearly 1 petabyte of data. The breach involved '
'unauthorized access to systems, including BPO-related '
'records, source code, financial information, voice '
'recordings, and consumer telecom data. ShinyHunters attempted '
'extortion but Telus did not engage.',
'impact': {'brand_reputation_impact': 'Potential reputational damage due to '
'data exposure',
'data_compromised': '1 petabyte',
'downtime': 'None (business operations unaffected)',
'identity_theft_risk': 'High (PII and telecom data exposed)',
'legal_liabilities': 'Potential regulatory fines and legal actions',
'operational_impact': 'Limited unauthorized access, no disruption '
'to customer connectivity or services',
'payment_information_risk': 'Potential (financial information '
'exposed)',
'systems_affected': 'Google Cloud Platform (BigQuery), Salesforce, '
'customer support systems, AI tools, fraud '
'detection systems, content moderation '
'systems'},
'initial_access_broker': {'data_sold_on_dark_web': 'Potential (ShinyHunters '
'known for resale)',
'entry_point': 'Stolen Google Cloud Platform '
'credentials from 2023 Salesloft '
'Drift breach',
'high_value_targets': 'Salesforce, BigQuery, '
'customer support systems'},
'investigation_status': 'Ongoing',
'motivation': 'Extortion, data theft for resale on dark web',
'post_incident_analysis': {'root_causes': 'Stolen credentials from '
'third-party breach, weak '
'credential management, lack of MFA '
'enforcement'},
'ransomware': {'data_exfiltration': 'Yes',
'ransom_demanded': '$65 million',
'ransom_paid': 'No'},
'references': [{'source': 'BleepingComputer'}],
'regulatory_compliance': {'regulatory_notifications': 'Customer notifications '
'in progress'},
'response': {'communication_strategy': 'Public disclosure, customer '
'notifications',
'containment_measures': 'Secured affected systems, limited '
'unauthorized access',
'incident_response_plan_activated': 'Yes',
'law_enforcement_notified': 'Yes',
'third_party_assistance': 'Cybersecurity forensics experts'},
'threat_actor': 'ShinyHunters',
'title': 'Telus Digital Major Data Breach After ShinyHunters Claims 1 '
'Petabyte Theft',
'type': 'Data Breach',
'vulnerability_exploited': 'Stolen credentials from 2023 Salesloft Drift '
'breach, weak credential management, lack of MFA '
'enforcement'}