TELUS Digital confirmed in March 2026 that it suffered a massive cyberattack resulting in the theft of approximately 1 petabyte of customer data, with the threat actor group ShinyHunters claiming responsibility for the breach. The incident represents one of the largest data thefts in recent years, exposing sensitive information including customer records, call center logs, source code, voice recordings, and even FBI background check documents.
This article examines the full scope of the breach, how attackers gained access, what data was compromised, and what the incident means for customers and the broader cybersecurity landscape. The breach highlights a critical vulnerability in cloud security practices: ShinyHunters gained initial access to TELUS systems using Google Cloud Platform credentials that had been exposed in an earlier 2025 breach of Salesloft, a customer relationship management platform. From that initial foothold, attackers pivoted through TELUS’s infrastructure, escalating their access and eventually stealing roughly 1 petabyte of data—an extraordinary volume that suggests attackers maintained access for an extended period.
Table of Contents
- How Did ShinyHunters Breach TELUS Digital’s Systems?
- What Specific Data Was Stolen in the TELUS Digital Breach?
- The Extortion Demand and ShinyHunters’ Tactics
- Why This Breach Matters More Than Most
- What Happened After the Breach Was Disclosed?
- Lessons from Cloud Credential Exposure
- What This Means Going Forward
- Conclusion
How Did ShinyHunters Breach TELUS Digital’s Systems?
The attack chain began not at TELUS Digital’s front door but at a third-party vendor. In 2025, the cloud software company Salesloft suffered a data breach that exposed credentials and sensitive information. ShinyHunters obtained Google Cloud Platform credentials from that Salesloft breach and used them to access TELUS Digital’s cloud infrastructure. This represents a classic “supply chain attack” pattern: compromising a weaker link in the ecosystem to gain access to a larger target. Once inside TELUS’s Google Cloud environment, attackers systematically moved laterally through the organization’s systems.
Rather than hitting a dead end after stealing one dataset, they pivoted and expanded their access, discovering additional systems and data repositories. This lateral movement phase is where attackers escalated from accessing one compromised credential to having broad visibility across TELUS Digital’s entire infrastructure. The fact that they were able to extract approximately 1 petabyte of data suggests the attack went undetected for weeks or months. This attack vector is particularly concerning because it demonstrates that security breaches at one company inevitably become liability for all connected organizations. TELUS Digital likely had no idea that Salesloft credentials in the wild posed a direct threat until ShinyHunters was already deep within their systems.
What Specific Data Was Stolen in the TELUS Digital Breach?
The 1 petabyte of stolen data encompasses multiple categories of sensitive information. Customer data and call center records formed a core component of the theft—this includes voice recordings of actual support calls between TELUS employees and customers, complete with any personally identifiable information (names, account numbers, addresses) discussed during those conversations. TELUS Digital operates call centers for multiple clients, so the compromised customer data likely belongs to numerous companies and individuals beyond TELUS itself. Beyond customer records, ShinyHunters obtained TELUS Digital’s proprietary source code, Salesforce business data, and financial information. The attackers also accessed FBI background check documents—an indicator that TELUS Digital processes sensitive government security clearance materials.
Telecommunications call records and campaign data round out the exposed datasets. The breadth of this data suggests TELUS Digital had no meaningful data segmentation in place; once attackers gained access to the cloud environment, they could traverse it freely without encountering additional barriers. One critical limitation is that neither TELUS Digital nor security researchers have provided a complete inventory of affected individuals. A 1 petabyte dataset is so vast that the actual number of compromised records remains unclear—it could represent data from thousands of companies and millions of individuals. Organizations whose data was processed by TELUS Digital may not even realize they’re affected until breach notification letters begin arriving weeks or months later.
The Extortion Demand and ShinyHunters’ Tactics
In February 2026, shortly after the data theft, ShinyHunters initiated extortion, demanding $65 million in exchange for not publicly releasing the stolen data. This demand underscores a reality of modern data breaches: the theft itself is often just the first attack. Criminal groups use stolen data as leverage, threatening public disclosure if organizations refuse to pay. The $65 million demand reflects the alleged scale and sensitivity of the data involved—it is an extraordinarily high extortion ask that suggests ShinyHunters believes TELUS Digital will be motivated to negotiate. Extortion demands of this magnitude create difficult situations for targeted organizations. Paying ransomware or extortion demands is increasingly scrutinized by law enforcement and regulators, yet refusing to pay risks public disclosure of sensitive information.
Additionally, paying attackers provides no guarantee they will actually delete the data or honor their word; it merely signals that the organization is willing to pay, potentially inviting future attacks or data sales. TELUS Digital has not publicly disclosed whether it intends to negotiate or pay the extortion demand. The threat to release data also carries different weight depending on what’s in it. Exposed voice recordings of customer support calls are particularly damaging because they often contain unscripted conversations revealing customer issues, account information, and sensitive details. Source code and Salesforce records could provide competitors or other attackers with competitive intelligence or security insights. Financial data might reveal contract values and business relationships. This heterogeneous nature of the stolen data means different victims of the breach face different levels of risk.
Why This Breach Matters More Than Most
TELUS Digital is a major business process outsourcing company, meaning it handles critical functions for dozens or potentially hundreds of other companies. When TELUS Digital is breached, it’s not just one company’s data at risk—it’s the data of all their customers and clients. This multiplier effect is what makes third-party processor breaches so damaging to the broader ecosystem. A customer might have robust security at their own company, yet still have their data compromised because a vendor they trusted was breached. The 1 petabyte volume is worth emphasizing for context. For comparison, major historical breaches like the 2013 Target breach affected roughly 40 million customer records.
The Equifax breach exposed data on approximately 147 million people. A petabyte is 1,000 terabytes; depending on the average record size, the TELUS breach could involve hundreds of millions of affected individuals. This makes it one of the largest data thefts on record in terms of sheer volume, even if the number of unique individuals affected remains unknown. The incident also highlights a growing pattern: attackers are increasingly targeting cloud infrastructure and using stolen credentials as an entry point. Defenders have become accustomed to fighting attacks at network perimeters, but cloud environments require fundamentally different security models. If TELUS Digital had implemented stronger credential management (such as hardware security keys, stricter key rotation, or zero-trust architecture), the Salesloft credentials might never have provided a viable attack path.
What Happened After the Breach Was Disclosed?
TELUS Digital’s public acknowledgment of the breach came after ShinyHunters announced the theft and demanded ransom. Organizations rarely volunteer breach information unprompted; disclosure typically occurs after threat actors go public, journalists report on the incident, or regulators demand answers. The fact that TELUS Digital confirmed the breach indicates they either negotiated with ShinyHunters’ representatives, were approached by journalists, or determined that public acknowledgment was preferable to allowing uncontrolled speculation. Once a breach of this magnitude becomes public, affected organizations face cascading consequences: customer notification requirements in multiple jurisdictions, regulatory investigations, potential fines under data protection laws like GDPR and CCPA, shareholder pressure, and reputational damage.
TELUS Digital must also conduct a forensic investigation to determine exactly what data was stolen, who was affected, and how to prevent similar attacks. However, finding a complete inventory of compromised data is extraordinarily difficult when 1 petabyte of material has been exfiltrated—attackers may copy far more than they actually care about, and defenders must sift through terabytes of logs to reconstruct what left the building. A critical warning: victims of breaches this large often discover months or years later that affected data has been sold on criminal forums or is being used by third parties. The initial extortion demand may be resolved, but the long-term consequences of data being in criminal hands persist indefinitely.
Lessons from Cloud Credential Exposure
The Salesloft-to-TELUS attack chain demonstrates a fundamental cloud security principle: credentials must be treated as secrets, not configuration files. Cloud platforms like Google Cloud Platform use service account credentials (often stored as JSON files or environment variables) to grant programmatic access to resources. If these credentials leak and are not promptly rotated or revoked, they become universal keys to the cloud kingdom.
Many organizations struggle with credential hygiene in cloud environments. Developers may commit credentials to version control, store them in insecure locations, or fail to implement automatic rotation policies. TELUS Digital likely had no automated system in place to invalidate the compromised GCP credentials when they were discovered in the Salesloft breach, meaning attackers enjoyed weeks or months of undetected access using legitimate credentials.
What This Means Going Forward
The TELUS Digital breach will reverberate through the entire business process outsourcing industry. Customers will demand assurances that third-party processors have implemented stronger security controls, and insurance companies may reassess coverage limits for breach scenarios. The incident also demonstrates that even large, established companies are vulnerable to supply chain attacks—there is no size threshold at which an organization becomes “too big” to be successfully compromised.
Looking forward, the cybersecurity industry will likely see increased focus on zero-trust architecture in cloud environments, hardware-based credential protection, and more aggressive credential monitoring. Organizations that process data for others will face greater scrutiny and higher expectations around breach detection and response. For individuals, the TELUS Digital breach serves as a reminder that personal data can be compromised by companies they’ve never heard of—merely doing business with a company that works with TELUS Digital puts you in the potential victim pool.
Conclusion
TELUS Digital’s confirmed cyberattack resulting in the theft of approximately 1 petabyte of customer data represents one of the largest data breaches in recent history. The ShinyHunters threat actor group leveraged credentials stolen in the earlier Salesloft breach to gain initial access to TELUS Digital’s Google Cloud infrastructure, then pivoted through the organization’s systems to exfiltrate massive volumes of sensitive data including customer records, voice recordings, source code, financial information, and FBI background check documents. The attackers subsequently demanded $65 million in extortion payments.
If you believe your data may have been affected by the TELUS Digital breach, monitor your credit reports for suspicious activity, enable multi-factor authentication on all online accounts, and watch for phishing emails or calls claiming to verify your information. For organizations, the incident underscores the critical importance of credential management, lateral movement detection, and zero-trust architecture in cloud environments. Vendor security assessments must now include questions about breach notification timelines, credential rotation policies, and data segmentation practices.