ShinyHunters Stole 1 Petabyte From TELUS Digital Using Credentials From a Completely Different Breach

When Salesloft's Drift platform was breached last year, most companies checked whether their own customer data was in the leak. TELUS Digital apparently did not check whether their cloud credentials were in it too. ShinyHunters did, and what they found gave them the keys to one of Canada's largest business process outsourcing firms and every company it serves.

On March 11, 2026, TELUS Digital confirmed it had been breached. ShinyHunters claims to have exfiltrated nearly 1 petabyte of data, roughly 1,000 terabytes, making this one of the largest data thefts ever disclosed by a single company.

The Chain Attack: From Drift to TELUS to 28 Companies

This breach did not start at TELUS. It started at Salesloft's Drift conversational marketing platform, which was compromised in an earlier, separate incident. ShinyHunters found Google Cloud Platform credentials belonging to TELUS buried inside the stolen Drift data. Those credentials unlocked a large BigQuery instance, Google's cloud data warehouse service, containing TELUS Digital's operational data.

But the attackers did not stop there. After downloading the BigQuery data, they ran trufflehog, a tool designed to find hardcoded secrets like API keys and passwords inside large datasets. The scan turned up additional credentials that let them pivot into more TELUS systems, expanding the breach far beyond the initial entry point.

This is what makes supply chain attacks so devastating. A single set of credentials, left in a third party platform that got breached months earlier, became the entry point into an entirely different company's infrastructure.

What Was Stolen

TELUS Digital is a BPO company, which means it handles customer support, content moderation, and back office operations for other firms. When a BPO gets breached, it is not just one company's data at risk. ShinyHunters claims the stolen data includes:

• Client BPO datasets including support operations, moderation workflows, and performance metrics
• Source code from internal applications
• Financial information and internal documents
• FBI background check records for employees
• Call recordings and customer interaction logs

The threat actors shared the names of 28 well known companies allegedly impacted by the breach. TELUS Digital rejected ShinyHunters' $65 million ransom demand, a decision that means the stolen data may eventually appear on dark web marketplaces or leak forums.

Why BPO Breaches Are Worse Than They Sound

Most people have never heard of TELUS Digital, but there is a good chance a company they do business with uses TELUS for customer support or data processing. When you call a support line and share your account details, that data often lives on a BPO's servers, not the company you think you are talking to.

This is the "blast radius" problem with vendor breaches. A single compromise at a major BPO can expose data from dozens of companies simultaneously. Google's threat intelligence team has previously warned that stolen tokens and credentials from vendor compromises "can enable follow on intrusions when reused" across connected systems.

The pattern mirrors what happened when ShinyHunters turned a Salesforce audit tool into a weapon against 400 companies. Attackers increasingly target the vendors and platforms that sit between companies and their customers, because one breach yields access to many.

The Credential Reuse Problem

The most troubling aspect of this breach is the attack vector. TELUS Digital's own security perimeter was not directly penetrated. Instead, credentials stored in a third party SaaS product were exposed when that product was breached, and nobody rotated them in time.

This happens more often than companies admit. Cloud credentials get embedded in SaaS integrations, CI/CD pipelines, shared documents, and configuration files. When any one of those systems is compromised, every credential stored in it becomes a potential entry point into other organizations. The npm supply chain attack that gave hackers full AWS admin access exploited the same fundamental weakness: credentials that outlived the context they were created in.

What You Can Do

If you have interacted with customer support for any large company in the past two years, your personal data may have passed through a BPO like TELUS Digital. Here is what to watch for:

• Watch for phishing. Stolen support interaction data makes highly convincing phishing emails because attackers know exactly what you contacted a company about. Be skeptical of any follow up communication referencing past support tickets.
• Monitor your accounts. If any of the 28 affected companies are identified publicly, check for unauthorized activity on those accounts.
• Rotate credentials proactively. If you are a developer or IT professional, audit which cloud credentials are stored in third party SaaS platforms. Rotate any that could have been exposed in prior vendor breaches.
• Assume your voice data exists. BPOs record customer calls as standard practice. This breach included call recordings, which means your voice, along with whatever personal details you shared on those calls, may now be in criminal hands.

The Bigger Picture

TELUS Digital says its operations remain fully functional and it has engaged external forensics support and law enforcement. But the company rejected the ransom, which means the stolen data's fate now depends entirely on ShinyHunters' next move.

For the rest of us, this breach is a reminder that the companies you trust with your data often outsource it to companies you have never heard of, and those companies store credentials in other companies' platforms. Each link in that chain is a potential point of failure. This time, it took just one set of forgotten cloud credentials to unlock a petabyte of sensitive data belonging to 28 organizations. And the fallout continues: another attacker used a TELUS employee to steal 100GB from Crunchyroll, exposing 6.8 million users just weeks later.