ShinyHunters Claims 1 Petabyte Theft from Telus Digital, Demands $65M

Canadian business process outsourcing giant Telus Digital has confirmed a security incident after threat actors known as ShinyHunters claimed to have stolen nearly one petabyte of data during a multi-month breach. The attackers demanded $65 million in ransom, which Telus has reportedly ignored.

BleepingComputer reports that ShinyHunters gained initial access using Google Cloud Platform credentials discovered in data stolen during the Salesloft Drift breach earlier this year—a chain of compromise that demonstrates how credential reuse across third-party services creates cascading risk.

Scale of the Compromise

ShinyHunters claims to have exfiltrated close to 1 petabyte—roughly 1,000 terabytes—of data belonging to Telus Digital and many of its BPO clients. The stolen data allegedly includes:

• Customer support call recordings - Voice recordings from outsourced support operations
• Agent performance ratings - Internal HR and quality assurance data
• Source code - Proprietary software developed for or by Telus Digital
• FBI background check results - Sensitive employee screening data
• Financial information - Client billing and payment data
• Salesforce data - CRM records from various operations
• Fraud detection systems - Tools and methodologies for identifying fraudulent activity
• AI-powered support tools - Proprietary automation systems

The breadth of data types reflects Telus Digital's role as a major BPO provider. Companies outsource customer support, content moderation, and other functions to Telus Digital, trusting them with access to customer interactions and internal systems. When a BPO provider is breached, every client relationship becomes a potential exposure vector.

How ShinyHunters Got In

According to security researchers, ShinyHunters used the cybersecurity tool trufflehog to scan data stolen in a prior breach of Salesloft's Drift product. Within that dataset, they discovered Google Cloud Platform credentials belonging to Telus Digital.

Those credentials provided initial access, from which the attackers pivoted to additional systems and spent months exfiltrating data. The $65 million ransom demand came in February, but Telus apparently hasn't responded to the attackers' communications.

This attack chain illustrates a persistent problem in enterprise security: credential sprawl. A breach at one vendor exposes credentials that unlock access at another. Organizations may have strong internal security practices but remain vulnerable through their supply chain relationships.

ShinyHunters Track Record

ShinyHunters is a prolific threat actor responsible for numerous high-profile breaches. We recently covered their involvement in the Salesforce Aura breach affecting 400 companies. The group specializes in targeting cloud infrastructure and third-party services, using leaked credentials to move between victims.

Their willingness to leak data when ransom demands aren't met makes them particularly dangerous. Organizations that refuse to pay—a decision generally recommended by security experts and law enforcement—should prepare for data publication.

Impact Assessment

The potential fallout extends well beyond Telus Digital itself:

For Telus Digital clients: Any company using Telus Digital for customer support, content moderation, or other BPO services should assume their data may be compromised. This includes customer interactions, internal communications shared with Telus staff, and any systems to which Telus had access.

For Telus employees: FBI background check data and internal HR information creates significant identity theft and social engineering risk. Employees—current and former—should monitor credit reports and be alert to targeted phishing.

For the BPO industry: This breach reinforces that BPO providers are high-value targets. They hold concentrated data across multiple clients, and their security practices may not match those of the organizations they serve.

Recommendations

Organizations working with BPO providers should:

1. Audit credential sharing - Minimize standing access and implement just-in-time provisioning where possible
2. Review what data BPO partners can access - Principle of least privilege applies to vendors too
3. Include BPO providers in incident response planning - Know how you'll respond if a vendor is breached
4. Monitor for exposed credentials - Services like Have I Been Pwned can alert you when credentials appear in breach dumps

For general guidance on responding to third-party breaches, see our data breach response guide. The key is understanding your exposure before incidents occur—by the time a breach goes public, your data may have been circulating for months.

Telus Digital has not disclosed which specific clients were affected or the full scope of the compromise. Organizations with BPO relationships should proactively reach out to their vendors for incident impact assessments rather than waiting for notification.