ShinyHunters Breaches Telus Digital in One of 2026's Largest Data Thefts
Canadian business process outsourcing giant Telus Digital has confirmed it is investigating a significant cybersecurity incident after the notorious ShinyHunters hacking group claimed to have exfiltrated nearly 1 petabyte (approximately 1,000 terabytes) of data from the company's systems in a multi-month breach. The attackers are demanding $65 million USD in exchange for not leaking the stolen data.
Incident Details
| Detail | Information |
|---|---|
| Victim | Telus Digital (subsidiary of Telus Corporation) |
| Threat Actor | ShinyHunters |
| Data Stolen | ~700 TB to 1 PB (estimates vary) |
| Ransom Demand | $65 million USD |
| Initial Access | Google Cloud Platform credentials from Salesloft Drift breach |
| Discovery Date | March 2026 |
| Status | Under investigation with forensics experts and law enforcement |
How the Breach Happened
ShinyHunters gained initial access to Telus Digital's infrastructure through a supply chain vector. The group discovered Google Cloud Platform (GCP) credentials belonging to Telus within data stolen during an earlier breach of Salesloft Drift, a sales engagement platform.
Using these compromised GCP credentials, ShinyHunters accessed numerous Telus Digital systems, including a large BigQuery data warehouse instance containing massive volumes of customer and operational data. The attackers reportedly maintained persistent access over multiple months before being detected.
What Was Stolen
The scope of the stolen data is staggering, encompassing virtually every aspect of Telus Digital's outsourced services business:
- Customer support data including call center outsourcing records and agent performance ratings
- AI-powered customer support tool data and fraud detection/prevention systems
- Content moderation solutions and related datasets
- Source code from internal repositories
- FBI background check records for employees
- Financial information and Salesforce CRM data
- Voice recordings of customer support calls for various client companies
Impact Assessment
| Category | Impact |
|---|---|
| Data Volume | ~1 PB -- one of the largest data thefts ever reported |
| Affected Parties | Telus Digital, its enterprise clients, and their end customers |
| Business Operations | Telus states operations remain fully functional |
| Financial | $65M extortion demand; potential regulatory fines, litigation costs |
| Regulatory | Canadian privacy law (PIPEDA) notification requirements triggered |
| Supply Chain | Client companies may face secondary breach notifications |
Telus Response
Telus Digital has issued a statement confirming the incident while downplaying operational impact:
"All business operations within TELUS Digital remain fully operational, and there is no evidence of disruption to customer connectivity or services. As part of our response, we have engaged leading cyber forensics experts to support our investigation, and we are working with law enforcement."
Notably, ShinyHunters claims that Telus has not responded to their extortion emails demanding $65 million, which were sent in February 2026.
ShinyHunters Track Record
ShinyHunters is a well-known cybercriminal group responsible for numerous high-profile breaches:
- AT&T (2024) -- 109 million customer records
- Ticketmaster/Live Nation (2024) -- 560 million records via Snowflake breach
- Microsoft GitHub (2020) -- 500GB of source code
- Tokopedia (2020) -- 91 million user accounts
The group has evolved from opportunistic data theft to targeted extortion campaigns against large enterprises, leveraging supply chain compromises to gain initial access through trusted third-party platforms.
Recommendations
For organizations concerned about similar supply chain attacks:
- Audit third-party credentials -- Review all API keys and service account credentials shared with SaaS vendors
- Implement credential rotation -- Regularly rotate GCP, AWS, and Azure service account keys
- Monitor BigQuery access patterns -- Set up anomaly detection for unusual data export volumes
- Segment cloud data warehouses -- Apply least-privilege access to BigQuery datasets
- Review vendor breach notifications -- When a vendor reports a breach, immediately rotate all shared credentials
- Enable Cloud Audit Logs -- Ensure GCP Admin Activity and Data Access audit logs are enabled and monitored
Key Takeaways
- Supply chain breaches cascade -- Credentials from one vendor breach (Salesloft Drift) led directly to a 1 PB data theft at Telus Digital
- Cloud data warehouses are high-value targets -- BigQuery, Snowflake, and similar platforms centralize massive datasets, making them attractive for threat actors
- Credential hygiene is critical -- Service account keys discovered in third-party breaches provided the initial foothold
- Extortion is the new playbook -- Rather than immediately dumping data, groups like ShinyHunters now attempt multi-million dollar extortion before resorting to public leaks
Sources
- BleepingComputer: Telus Digital confirms breach after hacker claims 1 petabyte data theft
- CBC News: Telus probes cybersecurity incident that ShinyHunters group claims responsibility for
- Bloomberg: Canadian Telecom Telus Says It's Investigating Cyber Breach
- The Globe and Mail: Telus investigating hack of its digital services arm