Article-At-A-Glance: What the Telus Digital Breach Means for Your Business
- Telus Digital confirmed a massive security breach in March 2026 after threat actors claimed to have stolen nearly 1 petabyte of data from the Canadian BPO giant.
- ShinyHunters used a credential chain attack — exploiting Google Cloud Platform credentials found in stolen Salesloft Drift data to access Telus Digital’s systems, including a large BigQuery instance.
- The stolen data goes far beyond contact info — voice recordings, call records, agent performance data, AI tool configurations, fraud detection systems, and Salesforce data tied to 28 major companies were all reportedly taken.
- If your business uses Telus Digital as a BPO provider, your customer data may already be in the hands of extortion actors — and there are specific steps you need to take right now.
- This breach is a wake-up call about third-party vendor risk — keep reading to understand exactly how the attack unfolded and what it means for your security posture going forward.
One breach led to another, and the result is one of the most significant BPO cyberattacks ever confirmed.
On March 12, 2026, Telus Digital — Canada’s largest business process outsourcing provider — confirmed it suffered a security incident after the threat actor group ShinyHunters claimed to have stolen nearly 1 petabyte of data from the company and many of its enterprise clients. The scale of what was allegedly taken is staggering, but more alarming is how they got in. Businesses that rely on third-party vendors for customer support, call center operations, and AI-powered tools need to pay close attention to what happened here.
A 1 Petabyte Theft Just Changed What We Know About BPO Security
To put 1 petabyte in context — that is 1,000 terabytes of data. BleepingComputer, which first broke the story, noted it could not independently confirm the total size of the stolen data, but Telus Digital did confirm the breach is real and that an investigation is underway into what was taken and which customers are affected.
What makes this breach different from a typical smash-and-grab ransomware attack is the method. Security analysts have described the operation as “strategic, disciplined, and optimized for maximum leverage.” ShinyHunters didn’t just encrypt files and demand a ransom. They spent months inside Telus Digital’s systems, mapping out data assets and extracting information that could be used for targeted extortion against both Telus and its enterprise clients.
When Telus Digital declined to negotiate with the attackers, ShinyHunters went public with their claims — a deliberate pressure tactic designed to force a response. This is the new playbook for sophisticated extortion groups, and it is working.
Why BPO Providers Are Goldmines for Hackers
Business process outsourcing providers sit at the intersection of dozens — sometimes hundreds — of enterprise client environments. They handle customer support tickets, process financial transactions, manage fraud detection systems, run call centers, and operate AI-powered tools on behalf of their clients. That means a single successful breach of a BPO provider gives attackers access to a sprawling web of corporate and customer data that would normally require dozens of separate intrusions to collect. Telus Digital is a prime example of exactly this vulnerability.
What ShinyHunters Actually Stole From Telus Digital
According to ShinyHunters, the stolen data spans both Telus Digital’s BPO operations and its consumer telecommunications division. On the BPO side, the group claims to have taken:
- Customer support records and call center outsourcing data
- Agent performance ratings
- AI-powered customer support tool configurations
- Fraud detection and prevention system data
- Content moderation solution data
- Salesforce records tied to 28 major enterprise clients
On the telecommunications side, the alleged stolen data includes detailed call records, voice recordings, and campaign data from Telus’ consumer fixed-line business. Voice recordings, in particular, represent an extreme privacy violation — and a serious liability exposure for every business whose customers spoke with a Telus Digital-powered support line.
Which Types of Businesses Are Directly Exposed
Any organization that used Telus Digital as a BPO provider for customer support, fraud detection, or content moderation is potentially in the blast radius of this breach. The Salesforce data allegedly tied to 28 companies means those organizations may have had their customer support tickets — and everything embedded in them, including credentials and sensitive client details — exposed to ShinyHunters.
How ShinyHunters Got In: The Salesloft Drift Connection
This is where the breach gets technically important for every security team to understand. ShinyHunters didn’t attack Telus Digital directly at first. They used a credential chain attack — exploiting data from a previous breach to unlock access to an entirely different company’s infrastructure.
How One Breach Unlocked Another: The Credential Chain Attack
Earlier in 2026, ShinyHunters conducted the Salesloft Drift breach, during which they downloaded Salesforce data for approximately 760 companies, including customer support tickets. Hidden inside those support tickets were Google Cloud Platform credentials belonging to Telus Digital. This is not an unusual find — engineers and support staff routinely paste API keys, authentication tokens, and access credentials into support tickets, often without realizing the risk.
Once ShinyHunters identified those GCP credentials inside the stolen Drift data, they used them to authenticate directly into Telus Digital’s cloud environment. From there, they accessed numerous internal systems, with the most significant being a large BigQuery instance — Google’s fully managed data warehouse platform, which organizations use to store and analyze massive datasets. A BigQuery instance inside a BPO environment like Telus Digital would contain exactly the kind of structured, organized, high-value data that ShinyHunters was after.
This is not a brute-force attack story. There was no zero-day exploit. No sophisticated malware deployment. ShinyHunters simply used valid credentials that Telus Digital employees had accidentally exposed in a third-party support system — and walked right in.
What Google Cloud Platform Credentials Were Doing in a Support Ticket
This happens more often than most organizations want to admit. When developers or IT staff open support tickets — whether with a SaaS vendor, a cloud provider, or an internal helpdesk — they sometimes paste raw configuration data, environment variables, or authentication strings to describe a problem. If that support platform is later breached, every credential ever shared in those tickets becomes available to attackers. The Salesloft Drift breach turned 760 companies’ support history into an open credential vault.
Why Scanning Stolen Data for Secrets Is Now a Standard Hacker Playbook
ShinyHunters’ approach here reflects a growing trend among sophisticated threat actors: mining previously stolen data for embedded secrets. Once a large dataset is obtained from any breach, automated tools can scan through thousands of support tickets, emails, and documents looking for patterns that match API keys, OAuth tokens, cloud credentials, and database connection strings. The Telus Digital breach is direct evidence that this methodology works at scale — and that the downstream consequences of any data breach can extend far beyond the originally targeted organization.
What Data Was Taken and Why It Is So Dangerous
The breadth of the allegedly stolen Telus Digital data creates compounding risks that go well beyond typical breach scenarios. Voice recordings of customer calls create direct privacy violations under regulations like PIPEDA in Canada and GDPR for any European clients affected. Call records expose behavioral patterns and personal information. Agent performance data could be used for targeted social engineering against Telus Digital staff. And fraud detection system data — arguably the most sensitive category — could give criminal actors a detailed map of how Telus Digital identifies and stops fraud, enabling them to bypass those controls entirely on behalf of clients in the future.
Customer Support Records, Voice Recordings, and Call Data
The consumer telecommunications side of the breach is where individual privacy exposure becomes most severe. Detailed call records reveal who customers called, when, how long they spoke, and in some cases what was said — especially where voice recordings were captured. For Telus Digital’s enterprise BPO clients, this means their end customers’ private conversations may now be in the hands of an extortion group. That is not a theoretical risk. It is a confirmed data category that ShinyHunters explicitly cited in their claims.
FBI Background Checks, Financial Data, and Source Code
Beyond the call data, ShinyHunters reportedly obtained FBI background check records, financial data, and proprietary source code from within Telus Digital’s systems. Background check data is among the most sensitive categories of personal information that exists — it contains criminal history, employment verification, identity documents, and financial background details. The exposure of this data creates direct harm to individuals, and significant legal liability for any organization whose background check processes ran through Telus Digital’s infrastructure.
Source code exposure is a separate but equally serious problem. When attackers obtain a company’s proprietary source code, they gain a detailed map of how that company’s software works — including where the weak points are. For a BPO provider that builds AI-powered customer support tools and fraud detection systems, exposed source code hands competitors and criminals alike a blueprint for reverse-engineering or exploiting those systems. Learn more about the risks of source code exposure.
Financial data exposure creates both regulatory and reputational consequences. Depending on the nature of the financial records accessed, affected businesses could face mandatory breach notification requirements across multiple jurisdictions simultaneously, with different timelines and disclosure obligations in Canada, the United States, and Europe.
Salesforce Data Tied to 28 Major Companies
The Salesforce records allegedly obtained during the Salesloft Drift breach and subsequently linked to Telus Digital represent a specific and traceable category of exposure. ShinyHunters claims to have downloaded Salesforce data for 760 companies during the Drift breach — and within that dataset, records tied to 28 major organizations were directly connected to Telus Digital’s BPO operations. Those 28 companies now face the reality that their customer support histories, internal case notes, and any credentials or sensitive data shared within Salesforce tickets may be fully compromised.
This is an important detail for security teams to act on immediately. If your organization used Salesforce and also engaged Telus Digital as a vendor — or shared any data pipeline between the two platforms — you should treat your Salesforce environment as potentially compromised until a full audit confirms otherwise.
Telus Digital’s Official Response
Telus Digital confirmed the breach on March 12, 2026, stating that it is currently investigating the scope of what was stolen and which customers were affected. The company has not yet released specific details about the number of individuals or enterprise clients impacted, nor has it provided a timeline for when affected parties will be notified. Prior to the public confirmation, a source told BleepingComputer that ShinyHunters had been attempting to extort Telus Digital — but that Telus was not engaging with the threat actors. The decision not to negotiate ultimately led ShinyHunters to go public with their claims, a pattern increasingly common among extortion groups when target organizations refuse to pay.
What This Breach Reveals About Third-Party Vendor Risk
The Telus Digital breach is not just a story about one company getting hacked. It is a case study in how third-party vendor relationships create cascading security exposure that most organizations have not fully mapped or accounted for. Every BPO contract, every SaaS integration, every cloud platform credential shared with a vendor is a potential attack surface — and most businesses have dozens of these relationships active at any given time.
The Core Problem with Third-Party Risk: Most organizations audit their own security posture regularly but apply far less scrutiny to the vendors who access their data. ShinyHunters didn’t need to breach 28 major companies individually — they breached one BPO provider and got access to all of them simultaneously. That is the definition of supply chain risk, and it is accelerating.
What makes the Telus Digital situation particularly instructive is that the initial entry point wasn’t even Telus Digital’s own infrastructure. It was a support ticket platform used by a sales tool — Salesloft’s Drift product — that contained credentials Telus Digital staff had inadvertently pasted into a customer support interaction. The chain of exposure ran from Drift to Salesforce to Google Cloud Platform to BigQuery to the full Telus Digital environment. Each link in that chain was a vendor relationship.
For businesses evaluating their own exposure right now, the critical question isn’t just “was our data at Telus Digital?” It’s “what credentials, tokens, or sensitive configurations has our team ever shared with any third-party support system?” That is a much harder question to answer — and most organizations don’t have a clean answer ready.
Third-party risk management has historically been treated as a compliance checkbox. Collect a vendor’s SOC 2 report, review it annually, file it away. The Telus Digital breach demonstrates that this approach is dangerously insufficient. A SOC 2 report from Telus Digital would not have revealed that a support ticket platform they used was vulnerable to breach, or that credentials shared in that platform would eventually be used to pivot into their Google Cloud environment.
Your Vendor’s Breach Is Your Breach
When ShinyHunters accessed Telus Digital’s BigQuery instance, they didn’t just access Telus Digital’s data — they accessed the data of every enterprise client whose information was stored there. The legal and regulatory exposure flows directly to those client organizations, not just to Telus Digital. Under frameworks like GDPR, PIPEDA, and various US state privacy laws, the data controller — meaning the business that collected the customer data in the first place — bears primary responsibility for ensuring that data is protected, even when it is processed by a third party.
How to Audit the Security of Every BPO or SaaS Vendor You Use
A meaningful vendor security audit goes beyond reviewing certifications. It requires actively mapping what data each vendor can access, under what authentication model, with what level of logging and monitoring, and with what breach notification SLAs contractually committed. For any vendor operating in a cloud environment — particularly Google Cloud Platform, AWS, or Azure — you should be asking for specific evidence of credential rotation policies, secrets management practices, and incident response procedures that include notification timelines shorter than 72 hours.
Here Are 5 Steps Every Business Should Take Right Now
Whether or not your organization directly used Telus Digital, the attack methodology ShinyHunters used is now documented and will be replicated. Credential chain attacks through third-party support platforms are not going away — they are going to become more common as threat actors realize how much sensitive data lives inside support tickets, sales tools, and cloud platform configurations.
The following steps are not theoretical best practices. They are direct responses to the specific techniques used in the Telus Digital breach, ordered by urgency and impact. Security teams should treat this as an active response checklist, not a future roadmap item.
Start with visibility. You cannot protect what you cannot see, and most organizations have significant blind spots in their third-party access landscape. The steps below are designed to close those blind spots systematically, starting with the highest-risk exposure categories identified in the Telus Digital attack chain.
| Action Item | Priority | Target Timeline | Risk Addressed |
|---|---|---|---|
| Audit all third-party vendor access | Critical | 48 hours | Unauthorized persistent access |
| Scan support tickets for embedded credentials | Critical | 48 hours | Credential chain attacks |
| Rotate GCP and Salesforce authentication tokens | High | 72 hours | Compromised cloud access |
| Enforce zero-trust BPO access policies | High | 2 weeks | Lateral movement after breach |
| Brief security team on credential-chain methods | Medium | 1 week | Detection gap for this attack vector |
1. Audit All Active Third-Party Vendor Access
Pull a complete list of every third-party vendor, BPO provider, SaaS tool, and cloud integration that currently has access to your systems or data. For each one, document exactly what data they can access, what authentication method they use, and when that access was last reviewed. Revoke any access that is no longer needed immediately — dormant vendor access is one of the most common and least-monitored attack surfaces in enterprise environments.
Pay specific attention to vendors operating in shared cloud environments. If a vendor accesses your data through Google Cloud Platform, AWS, or Azure, verify that they are using dedicated service accounts with least-privilege permissions — not shared credentials or broadly scoped API keys. The Telus Digital breach pivoted through GCP credentials that were sitting exposed in a support ticket. That specific scenario is preventable with proper secrets management, but only if someone is actively looking for it.
2. Scan Internal Systems for Exposed Credentials in Support Tickets
This is the specific attack vector that ShinyHunters exploited to move from the Salesloft Drift breach into Telus Digital’s infrastructure. Your team needs to actively search your support ticket history — across every platform you use, including Zendesk, Salesforce Service Cloud, Jira, Drift, Intercom, and any internal helpdesk tools — for any messages containing API keys, OAuth tokens, database connection strings, cloud platform credentials, or environment variables. Tools like GitGuardian, TruffleHog, and similar secrets-scanning platforms can be configured to run against historical ticket data, not just code repositories.
3. Rotate Google Cloud Platform and Salesforce Authentication Tokens
If your organization has any active or historical connection to Telus Digital, Salesloft, or Drift — rotate every GCP service account key, OAuth token, and Salesforce API credential immediately. Do not wait for confirmation that your specific data was accessed. The credential chain attack used in this breach means that exposure could have occurred at any point in the data pipeline, not just at the final target. Rotation is low-cost and fast. The risk of not rotating is not.
Beyond this specific incident, credential rotation should become a scheduled practice — not an emergency response. Set maximum lifetimes for all cloud platform credentials, enforce automatic rotation through your secrets management tool, and audit who has the ability to create long-lived credentials in your GCP and Salesforce environments. Long-lived credentials are exactly what ShinyHunters found in those Drift support tickets — and exactly what made this breach possible.
4. Enforce Zero-Trust Access Policies Across BPO Relationships
Zero-trust means no user, system, or vendor is trusted by default — even if they are already inside your network or cloud environment. For BPO relationships specifically, this means every access request from a vendor’s systems should be verified, logged, and scoped to the minimum required data at the time of access. Telus Digital’s clients whose data was stored in that BigQuery instance had no visibility into who was accessing it, under what conditions, or when. A zero-trust architecture with proper logging would have detected anomalous access patterns from ShinyHunters’ activity — potentially long before 1 petabyte left the environment.
5. Brief Your Security Team on the ShinyHunters Credential-Chain Method
Detection is only possible when your team knows what to look for. The credential chain methodology — where credentials embedded in one breach are used to pivot into an entirely separate target — requires a specific detection mindset. Your security operations center should be monitoring for authentication events using credentials that haven’t been used recently, logins from unusual geographic locations or IP ranges, and large-volume data access from service accounts that normally show low activity. These are the behavioral signatures of a credential chain attack in progress.
ShinyHunters has been one of the most prolific threat actors targeting companies worldwide, with a documented history of breaches across Salesforce, other cloud SaaS environments, and multiple high-profile organizations including Qantas, Allianz Life, and LVMH. Briefing your team specifically on their methodology — credential harvesting from prior breaches, cloud platform pivoting, and BigQuery data exfiltration — gives your detection capabilities a concrete adversary model to work against, not just a generic threat category.
BPO Breaches Will Keep Happening Until Businesses Demand Better
The Telus Digital breach is not an anomaly. It is the predictable result of an industry-wide pattern where businesses outsource enormous amounts of sensitive operational data to third-party providers without imposing — or verifying — the security standards those providers apply to that data. ShinyHunters didn’t find a novel zero-day vulnerability. They found credentials in a support ticket, used them to log into a cloud database, and spent months extracting data that organizations had handed to a vendor without adequate oversight. Until businesses start treating third-party security audits as a core operational requirement — with contractual teeth, not just compliance paperwork — BPO providers will continue to be the highest-value, lowest-resistance targets in the enterprise threat landscape. The question is not whether another BPO breach will happen. It is which provider, and whose data, will be next.
Frequently Asked Questions
The Telus Digital breach raises immediate questions for security teams, compliance officers, and business leaders trying to understand their exposure and next steps. The answers below are based on confirmed information from the breach disclosure and documented behavior of the ShinyHunters threat actor group.
What is Telus Digital and why was it targeted?
Telus Digital is the business process outsourcing division of Telus, one of Canada’s largest telecommunications companies. It provides services including customer support, call center operations, AI-powered customer engagement tools, fraud detection, and content moderation to enterprise clients worldwide. As a BPO provider, Telus Digital sits at the center of a large web of enterprise data relationships — making it an extremely high-value target for a threat actor looking to access data from multiple organizations through a single breach.
ShinyHunters targeted Telus Digital not because of a specific vulnerability in its perimeter defenses, but because its position as a centralized data processor meant that one successful intrusion would yield data from dozens of enterprise clients simultaneously. That calculus — one breach, many victims — is precisely what makes BPO providers attractive targets for sophisticated extortion groups operating at scale.
Who are ShinyHunters and what is their history of attacks?
ShinyHunters is a prolific cybercriminal extortion group with a documented history of large-scale data theft operations targeting cloud SaaS environments. They have been linked to breaches at major organizations including Qantas, Allianz Life, and LVMH, among others, primarily through Salesforce and cloud platform attack vectors. Their current methodology involves harvesting credentials from prior breaches, scanning stolen data for embedded secrets, and using those secrets to pivot into new, high-value targets — as demonstrated precisely in the Telus Digital attack chain.
How did the Salesloft Drift breach lead to the Telus Digital compromise?
During the Salesloft Drift breach, ShinyHunters downloaded Salesforce data from approximately 760 companies, which included customer support tickets. Within those tickets, the attackers discovered Google Cloud Platform credentials belonging to Telus Digital — credentials that had been pasted into a support interaction by Telus Digital staff. This is the credential chain attack: data stolen in Breach A contains the keys needed to execute Breach B.
Using those GCP credentials, ShinyHunters authenticated directly into Telus Digital’s cloud infrastructure and accessed numerous internal systems, with a large BigQuery instance being the primary data repository compromised. The entire intrusion path required no exploitation of a software vulnerability — only the use of valid credentials that had been inadvertently exposed in a third-party support platform that was itself later breached.
What should businesses do if they use Telus Digital as a BPO provider?
If your organization uses or has previously used Telus Digital as a BPO provider, treat your data as potentially compromised until a formal investigation confirms otherwise. Contact Telus Digital directly to request a specific accounting of what data they hold or have held on your behalf, and whether that data category is within the scope of the confirmed breach investigation. Do not wait for a breach notification letter before taking action — the timeline for formal notifications under PIPEDA and other applicable regulations can extend weeks beyond when you need to start protecting your customers.
Internally, audit every data category you have ever shared with Telus Digital, including customer records, voice call data, support ticket histories, and any Salesforce-connected data pipelines. Brief your legal and compliance teams on the potential notification obligations that may apply if customer data was affected. And review every other active BPO and SaaS vendor relationship using the five-step framework outlined above — because if Telus Digital was in scope for ShinyHunters, other BPO providers are being evaluated by the same threat actors right now.
How common are credential chain attacks through third-party vendors?
Credential chain attacks are becoming one of the dominant intrusion methodologies used by sophisticated threat actors. The core concept — that credentials exposed in one breach can be used to access a completely separate target — has been exploited in numerous high-profile incidents and is now a documented standard technique in adversary playbooks. The availability of large stolen datasets, combined with automated scanning tools that can parse millions of records in hours looking for embedded secrets, has dramatically lowered the effort required to execute this type of attack.
The challenge for defenders is that credential chain attacks are difficult to detect using traditional perimeter security tools. The attacker presents valid credentials, authenticates through normal channels, and initially generates activity that looks like legitimate user behavior. Detection requires behavioral analytics — monitoring for anomalies in access patterns, data volumes, and activity timing — rather than signature-based controls that look for known malicious code or IP addresses.
For most organizations, the realistic answer to “how common are these attacks?” is: far more common than your current logging and monitoring setup is designed to catch. The Telus Digital breach is a documented, confirmed example — but it is one of many. Organizations that have not yet audited their support ticket history for embedded credentials, rotated cloud platform tokens, and implemented behavioral anomaly detection across their vendor access landscape are operating with known, fixable blind spots that threat actors are actively probing right now.
What Every Security Team Should Know About Credential Chain Risk:
• Any credential ever shared in a support ticket should be treated as potentially compromised.
• Cloud platform credentials — GCP, AWS, Azure — are the highest-value targets inside stolen support data.
• Automated secrets scanning tools can find embedded credentials in millions of records in hours.
• Valid credentials generate no perimeter alerts — only behavioral analytics will catch the anomaly.
• Your vendor’s breach notification timeline may be too slow to protect your customers — audit proactively, not reactively.
• ShinyHunters and similar groups are actively mining prior stolen datasets for new pivot opportunities right now.
The Telus Digital breach is a case study that every security team, CIO, and risk officer should walk through in detail with their staff. Not because it is unique — but because it is repeatable, and the techniques used are already being applied elsewhere. The organizations that respond to this breach by hardening their own credential management and vendor access controls are the ones least likely to appear in the next headline.
Businesses looking to strengthen their vendor security posture and protect against credential chain attacks can benefit from working with cybersecurity specialists who focus on third-party risk management and cloud security architecture — because the cost of a proactive audit is a fraction of what a 1 petabyte breach will cost to remediate.
