TELUS Digital Confirms Cybersecurity Breach Involving Unauthorized System Access

ShinyHunters did not start with TELUS. The extortion group's path in began a year earlier, when attackers compromised Salesloft's GitHub environment and stole OAuth tokens from the Drift chatbot integration. Those tokens unlocked Salesforce data belonging to hundreds of organizations, and buried inside that stolen dataset were Google Cloud Platform credentials tied to TELUS Digital.

ShinyHunters used those GCP credentials to access numerous TELUS company systems, including a large BigQuery instance. After downloading that data, the threat actors then ran the cybersecurity tool TruffleHog against it to search for additional credentials embedded in files and logs, then used those newly discovered secrets to pivot into other TELUS systems and download further data.

TELUS Digital, the Canadian business process outsourcing giant, confirmed it suffered a security incident after threat actors claimed to have stolen nearly 1 petabyte of data in a multi-month breach. The company stated: "TELUS Digital is investigating a cybersecurity incident involving unauthorized access to a limited number of our systems. Upon discovery, we took immediate steps to address the unauthorized activity and secure our systems against further intrusion. We are actively managing the situation and continue to monitor it closely."

The breach, which went undetected for months, exposed customer records, voice recordings, source code, and call metadata spanning both corporate clients and TELUS's own consumer telecom division. The threat actors say much of the data relates to BPO services provided by TELUS Digital, including customer support and call center outsourcing, agent performance ratings, AI-powered customer support tools, fraud detection and prevention, and content moderation solutions.

ShinyHunters attempted to extort TELUS in February, demanding $65 million in exchange for not leaking the company's data, but TELUS has not responded to their demands. That non-engagement fits a documented pattern: in late 2025, the group was linked to the theft of nearly one billion records from 39 companies including GAP and Qantas, and in early 2026 they targeted Dutch telecom Odido and threatened to release millions of customer records.

In total, ShinyHunters claimed to have stolen close to 1 petabyte of data belonging to TELUS and many of its customers, though the total size of the stolen data has not been independently confirmed. The threat actors shared the names of 28 well-known companies allegedly impacted by the breach, but those names have not been independently verified as affected.

TELUS said in a fuller statement that "all business operations within TELUS Digital remain fully operational, and there is no evidence of disruption to customer connectivity or services." The company added that it had "engaged leading cyber forensics experts to support our investigation" and is "working with law enforcement," while implementing additional security measures and notifying any impacted customers "as appropriate."

TELUS Digital is the digital services and BPO arm of Canadian telecommunications provider TELUS, providing customer support, content moderation, AI data services, and other outsourced operational services to companies worldwide. Because BPO providers often handle customer support, billing, and internal authentication tools for multiple companies, they represent attractive targets for threat actors seeking access to large volumes of customer and corporate data through a single breach.

ShinyHunters has also recently deployed device code vishing to obtain Microsoft Entra authentication tokens, using stolen credentials and auth codes to hijack SSO accounts and breach connected enterprise services including Salesforce, Microsoft 365, Google Workspace, SAP, Slack, and Atlassian. The TELUS breach, still under active investigation, underscores how a single supply-chain credential exposure in 2025 cascaded into one of the largest claimed data thefts in recent Canadian corporate history.