TELUS Digital ShinyHunters Steal 1 Petabyte via Stolen GCP Credentials

• .What: ShinyHunters stole an estimated 700TB-1PB of data from TELUS Digital via credential chaining from a third-party breach.
• .Who: TELUS Digital (~79,000 employees, 35+ countries, US$2.658B revenue FY2024), BPO arm of TELUS Corporation (CAD ~$20.1B consolidated revenue FY2024, TSX:T / NYSE:TU). At least 28 client companies' data allegedly exposed.
• .How: Supply chain credential pivot - GCP credentials discovered in Salesloft Drift breach data, amplified via Trufflehog credential scanning, lateral movement through BigQuery and interconnected cloud systems.
• .Data: Customer support tickets, voice recordings, FBI background checks, source code, AI training datasets, Salesforce CRM records, financial documents, call detail records, agent performance data, content moderation data, fraud detection systems.
• .Actor: ShinyHunters (tracked by Google as UNC6040/UNC6395), operating within the Scattered LAPSUS$ Hunters (SLH) collective since August 2025.
• .Impact: $65M ransom demanded (not paid); TELUS Corp stock -6.8%; potential regulatory exposure across Canada, US, EU, UK, Philippines; cascading supply chain risk to 28+ enterprise clients.

The breach traces its origin not to TELUS Digital's own infrastructure, but to a supply chain compromise that began nearly a year earlier.

Between March and June 2025, threat actors tracked by Google Threat Intelligence as UNC6395 compromised Salesloft's GitHub environment, downloaded source code repositories, and established persistent access.

From that position, they accessed Drift's AWS environment - Drift being the AI-powered chatbot platform Salesloft had acquired - and stole OAuth authentication tokens for Drift customers' third-party integrations.

Between August 8-18, 2025, the attackers used those tokens to impersonate the Drift application and systematically accessed Salesforce environments belonging to over 760 organizations, exfiltrating business contacts, CRM data, and - critically - credentials, API keys, and passwords embedded in support cases.

Salesloft disclosed August 20, 2025. Mandiant contained the incident by September 6.

Inside that stolen dataset, ShinyHunters discovered Google Cloud Platform credentials belonging to TELUS Digital, likely stored in a Salesforce support ticket or internal communication.

Armed with valid GCP credentials, the group authenticated directly into TELUS Digital's cloud environment. They accessed a large BigQuery data warehouse instance and began downloading data.

Using Trufflehog - an open-source secret scanning tool capable of detecting over 800 credential types - the attackers scanned the downloaded BigQuery data for additional secrets. Each discovered credential opened access to another TELUS system.

The chain from one breach to the next compounded exponentially.

Over an estimated 5-7 months (approximately August/September 2025 through January 2026), ShinyHunters methodically exfiltrated data in small batches disguised as normal encrypted traffic. The slow, disciplined approach avoided triggering volume-based egress alerts.

By the time TELUS detected unauthorized access in January 2026, the attackers had already accumulated what they claim is approximately 1 petabyte.

At a sustained 1 Gbps transfer rate, exfiltrating 1PB would require approximately 93 days of continuous transfer - consistent with the multi-month dwell time. BleepingComputer first contacted TELUS about the breach in January 2026; TELUS did not respond.

ShinyHunters began extortion in February 2026, demanding $65 million. TELUS did not reply.

This is not TELUS's first security incident.

In February 2023, a separate threat actor offered to sell 1,000+ private TELUS GitHub repositories and data on 76,000+ employees scraped from a TELUS API for $50,000. On the same day as the ShinyHunters disclosure (March 12, 2026), a separate threat actor compromised a TELUS BPO agent's workstation with malware, capturing Okta SSO credentials that gave access to Crunchyroll's Zendesk (6.8 million records, $5 million ransom demanded).

BleepingComputer confirmed this is a separate incident from the ShinyHunters breach - but two simultaneous compromises of a single BPO provider suggests systemic security failures.

ShinyHunters has evolved from a data theft and dark web resale operation into one of the most prolific cybercrime groups active today. The group emerged around 2020 and has been linked to breaches impacting approximately 1.8 billion records across hundreds of organizations.

Google Threat Intelligence tracks their operations under multiple designations: UNC6040, UNC6240, and UNC6395.

In August 2025, ShinyHunters formed the Scattered LAPSUS$ Hunters (SLH) collective with Scattered Spider and LAPSUS$ operators - assessed by LevelBlue as a federated identity rather than a formal merger, where several players collaborate, amplify each other, and share common infrastructure while retaining operational autonomy.

The collective operates through 16+ Telegram channels and an "extortion-as-a-service" model.

ShinyHunters contributes data theft automation and vishing scalability; Scattered Spider provides social engineering and access brokerage; LAPSUS$ brings media manipulation and extortion expertise.

The group ran BreachForums - the largest English-language cybercrime forum - from June 2023 until US law enforcement seized it in May 2024. In January 2026, internal faction disputes led to the leak of the BreachForums database (323,986 users).

Key arrests have not dismantled operations. French member Sebastien Raoult was sentenced in January 2024 to three years plus $5 million restitution.

Matthew D. Lane (19, Massachusetts) pleaded guilty in June 2025 to the PowerSchool hack and was sentenced to four years plus $14 million restitution - though his connection to ShinyHunters has not been proven in court.

Four French affiliates (ShinyHunters, Hollow, Noct, Depressed) were arrested in June 2025; a fifth member, the British national known as IntelBroker, was arrested in France in February 2025. Core leadership remains operational.

In 2025, ShinyHunters executed three coordinated Salesforce attack campaigns: vishing-based credential theft (June 2025, UNC6040) targeting Google, Cisco, Adidas, and others; the Salesloft Drift OAuth supply chain breach that led to the TELUS compromise (August 2025, UNC6395, 760 companies affected); and the Gainsight integration compromise (November 2025, 200+ instances including Atlassian, DocuSign, GitLab, LinkedIn).

Their 2026 portfolio includes Odido (6.2M Dutch telecom subscribers), Figure Technology (967K accounts), Wynn Resorts (800K+ records), Panera Bread (5.1M accounts), CarGurus (12.4M accounts), and TELUS Digital.

The claimed ~1PB exfiltration contains data across multiple categories, spanning both TELUS Digital's BPO operations and TELUS Corporation's consumer telecom division:

BPO Client Data (at least 28 alleged client companies): Customer support tickets containing PII of end customers across multiple industries. Voice recordings of customer service calls across multiple BPO client programs - cannot be "reset" like passwords.

Agent performance ratings and evaluation data. AI-powered customer support tool data and training datasets - TELUS Digital delivers 2 billion+ annotations annually for AI training. Content moderation data - trust and safety datasets, moderation policies, and case records.

Fraud detection and prevention system data - algorithms, case histories, detection rules.

Employee Data: FBI background check results - pre-employment screening files for TELUS Digital employees working regulated client accounts.

These contain detailed personal histories including criminal records, credit history, residential history, employment verification, and potentially Social Security numbers. This data is permanent and cannot be changed.

Corporate Data: Source code for proprietary software and internal tools. Salesforce CRM data. Financial information. BigQuery database contents.

TELUS Consumer Telecom Data: Call detail records (CDRs) - call times, durations, source and destination phone numbers, call quality metadata. Campaign data from TELUS' consumer fixed-line business.

The 1PB volume claim, if accurate, makes this one of the largest single-organization data exfiltrations in recorded history by data volume.

BleepingComputer received the names of 28 affected client companies from ShinyHunters but declined to publish them without independent verification.

1. Credentials Stored in Support Tickets. TELUS Digital's GCP credentials were found inside Salesforce support ticket data stolen during the Salesloft Drift breach. Credentials should never be stored in or transmitted through support ticket systems.

Secret management platforms (HashiCorp Vault, GCP Secret Manager) exist specifically for this purpose.

2. No Credential Rotation After Third-Party Breach. When Salesloft disclosed the Drift breach in August 2025, TELUS Digital did not rotate all credentials potentially exposed through the Drift/Salesforce integration.

The GCP credentials remained valid for months after the Salesloft breach was public knowledge.

3. No Secret Scanning in Data Stores. TELUS failed to implement automated secret detection in its cloud data stores and support ticket systems. Trufflehog - the same tool the attackers used - could have been deployed defensively to find and rotate exposed credentials.

4. No Egress Monitoring at Scale. Exfiltrating 700TB-1PB over months requires sustained high-volume outbound data transfer from GCP. No DLP or egress monitoring system flagged the anomalous transfer volumes.

Cloud-native egress alerting (GCP VPC Flow Logs, Cloud Armor) should have detected sustained bulk downloads.

5. Excessive BigQuery Permissions. The compromised GCP credentials apparently granted access to a "large BigQuery instance" containing data across multiple BPO clients.

Least-privilege access controls should have limited any single credential's access scope, and client data should have been segmented across separate BigQuery projects or datasets.

6. No Client Data Segmentation. Data for multiple BPO clients was accessible through the same credential chain. Each client's data should reside in isolated environments with separate access controls, preventing a single compromise from cascading across all clients.

7. Multi-Month Dwell Time Without Detection. ShinyHunters operated inside TELUS Digital's environment for an estimated 5-7 months. No user behavior analytics, anomalous access pattern detection, or session monitoring identified the unauthorized access during this period.

As Fritz Jean-Louis of Info-Tech Research Group assessed: "This is strategic, disciplined, and optimized for maximum leverage.

8. No Supply Chain Threat Intelligence. TELUS Digital did not monitor dark web forums or threat intelligence feeds for mentions of its credentials appearing in the Salesloft Drift breach data. Proactive credential monitoring would have identified the exposure before exploitation.

Threat Actor:

• .ShinyHunters / UNC6040 / UNC6240 / UNC6395
• .Part of Scattered LAPSUS$ Hunters (SLH)

Attack Vector (Supply Chain Credential Pivot):

• .Compromised Salesloft GitHub (March-June 2025)
• .Stole OAuth tokens from Drift's AWS environment
• .Used tokens to access 760+ Salesforce instances
• .Found TELUS Digital GCP credentials in Salesforce ticket data
• .Pivoted to BigQuery, used Trufflehog for credential scanning

Tools:

• .Trufflehog (open-source credential scanner)
• .GCP/BigQuery for data access

Exfiltration:

• .~1 petabyte (700TB-1PB)
• .$65M ransom demanded (not paid)
• .5-7 month estimated dwell time

• .PIPEDA (Canada) - Sections 10.1-10.3: mandatory breach notification to Privacy Commissioner of Canada "as soon as feasible" for breaches posing real risk of significant harm; mandatory individual notification; 24-month record retention. One report indicates TELUS failed to meet the required notification timeframe. Fine exposure: up to CAD $100,000 per offense for knowing failure to report, notify, or maintain records.

• .GDPR (EU) - Articles 5(1)(f), 32, 33, 34: TELUS Digital operates in Bulgaria, Romania, and Ireland. If EU citizen data was in BPO client records (highly likely given European operations), TELUS faces: 72-hour notification to lead DPA, individual notification for high-risk breaches, fines up to 4% of parent TELUS Corporation's annual global turnover. Potential fine exposure: up to EUR 537M (4% of CAD ~$20.1B / ~EUR 13.4B).

• .SEC 8-K Disclosure (US) - TELUS Digital was privatized October 2025, but parent TELUS Corporation remains dual-listed on TSX and NYSE (TU). Material cybersecurity incidents at a wholly owned subsidiary require disclosure within 4 business days of materiality determination.

• .US State Breach Notification Laws - FBI background check data containing SSNs triggers notification obligations in all 50 US states. BPO client data may include US consumer PII.

• .CCPA/CPRA (California) - If California residents' data was among BPO client records. Penalty: up to $7,500 per intentional violation.

• .FTC Act Section 5 (US) - Unfair or deceptive trade practices. Failure to implement reasonable security measures for consumer data processed through BPO operations.

• .Philippines Data Privacy Act - TELUS Digital has major operations in the Philippines. 72-hour breach notification required. Penalties up to PHP 5 million plus imprisonment.

• .UK GDPR / DPA 2018 - If UK citizen data was in BPO operations. ICO enforcement. Fines up to GBP 17.5M or 4% of turnover.

• .BPO Client Contractual Obligations - Data processing agreements with 28+ enterprise clients almost certainly include data protection clauses requiring immediate breach notification, indemnification provisions, and potentially contract termination rights. The financial exposure from client claims, lost contracts, and indemnification obligations may exceed regulatory fines.

The following gaps exist in the public record for this incident:

1. The claimed 1 petabyte exfiltration volume originates from ShinyHunters and has not been independently verified - TELUS Digital's public statement referenced "unauthorized access to a limited number of our systems" without confirming data volume.

2. The identities of the 28 BPO client companies allegedly affected have not been published - BleepingComputer received the names from ShinyHunters but declined to publish without independent verification.

3. The estimated 5-7 month dwell time is an assessment based on the Salesloft Drift breach timeline and exfiltration volume calculations, not a forensically confirmed figure from TELUS or its incident responders.

4. Whether FBI background check data - the most sensitive category claimed - was actually among the exfiltrated material has not been confirmed by TELUS, the FBI, or an independent forensic review.

5. The relationship between the ShinyHunters TELUS breach and the concurrent Crunchyroll compromise remains unresolved.

BleepingComputer was told they are separate incidents, but Crunchyroll's absence from ShinyHunters' Tor leak site and the "hubert" alias suggest at minimum a different operator, while the shared TELUS attack surface and consistent infostealer TTPs suggest possible SLSH ecosystem affiliation.

No threat intelligence firm has published an attribution assessment.

6. Matthew D.

Net reported "there has been no evidence presented that supports attributing the extortion of PowerSchool in 2024 to ShinyHunters or to Lane and ShinyHunters working together," though a North Carolina education department received a demand from someone claiming to be ShinyHunters.

7. The operational structure of the SLH collective - specifically whether ShinyHunters, Scattered Spider, and LAPSUS$ truly share operational resources and infrastructure or merely co-brand under a federated identity - remains debated by threat intelligence firms.

1. Immediate Third-Party Credential Rotation After Upstream Breaches - When Salesloft disclosed the Drift breach in August 2025, TELUS Digital should have immediately rotated all credentials associated with any Salesloft/Drift/Salesforce integration.

The rotation must be comprehensive: not just primary API tokens but every credential that could have been stored in, transmitted through, or accessible from the compromised platform - including OAuth tokens, service account keys, and any secrets referenced in support tickets or integration configurations.

Automated credential rotation using GCP Workload Identity Federation eliminates static credentials entirely by issuing short-lived tokens bound to workload identity.

Organizations should maintain a credential dependency map that links each third-party integration to every internal credential it touches, enabling rapid scoping when a vendor discloses a breach.

2. Secret Scanning Across All Data Stores - Deploy Trufflehog, GitGuardian, or equivalent across all code repositories, databases, support ticket systems, and cloud storage. The same tool the attackers used offensively should have been deployed defensively.

Critically, scanning must extend beyond source code repositories to include Salesforce records, Zendesk tickets, Confluence pages, Slack messages, and any system where employees might paste or reference credentials.

ShinyHunters found GCP credentials inside Salesforce support ticket data - a location that most secret scanning deployments do not cover.

3. BPO Client Data Segmentation and Access Controls - Isolate each BPO client's data in separate GCP projects with independent IAM policies, service accounts, and network boundaries.

Implement VPC Service Controls to create security perimeters around each client's data, preventing data movement between projects even if a service account is compromised. No single credential compromise should grant access to multiple clients' data.

Each client project should have its own BigQuery datasets with column-level access controls, its own Cloud Storage buckets with object-level IAM, and its own audit logging pipeline.

BPO operators handle data for dozens of enterprise clients simultaneously - the failure to segment means one compromised credential exposes every client.

4. GCP-Specific Security Controls - Enable VPC Service Controls around all projects containing customer data to prevent data exfiltration even from authorized identities. Deploy Cloud Armor WAF policies on all internet-facing services.

Enable BigQuery audit logging at the dataset level and configure alerts for anomalous query patterns - bulk exports, new query sources, queries at unusual hours, and SELECT * operations on large tables.

Use Cloud DLP to automatically classify and tag sensitive data across BigQuery and Cloud Storage. Enable Access Transparency logs to detect Google support access. disableServiceAccountKeyCreation) and enforce domain-restricted sharing.

5. Cloud Egress Monitoring and Data Loss Prevention - Implement GCP VPC Flow Logs with anomaly detection thresholds for outbound data volume. Set egress baselines per project and alert on sustained deviations.

At 1PB, the transfer volume would have been orders of magnitude above normal baselines - even at a disciplined 1 Gbps sustained rate, the exfiltration would have taken approximately 93 days of continuous transfer.

GCP's Packet Mirroring combined with network detection tools should flag sustained high-volume encrypted outbound transfers. Deploy Google Cloud DLP inspection on BigQuery exports and Cloud Storage downloads to detect bulk PII extraction in near-real-time.

6. Supply Chain Credential Scanning and Dark Web Monitoring - Monitor dark web forums and threat intelligence feeds for mentions of organizational credentials appearing in third-party breach data.

Automate correlation between third-party breach disclosures and internal credential inventories.

When a vendor breach is disclosed, immediately scan the disclosed dataset (if available to researchers or through threat intelligence services) for any credentials, tokens, API keys, or internal references belonging to your organization.

Deploy automated detection for credentials appearing in support tickets, chat logs, and CRM records - these are the locations where credentials leak most frequently and where secret scanners are least commonly deployed.

7. Incident Response for Credential-Chaining Attacks - Develop runbooks specifically for credential-chaining scenarios where initial access originates from a third-party breach.

The investigation must trace the full chain: which vendor was breached, what data was exposed, which organizational credentials were present in that data, what systems those credentials access, and what lateral movement is possible from each compromised system.

Standard incident response assumes a single point of entry - credential chaining creates multiple simultaneous entry points that must be identified and closed in parallel.

8. Phishing-Resistant Authentication for Cloud Administrative Access - Deploy FIDO2 hardware security keys for all GCP administrative accounts. Eliminate password-only and SMS-based authentication for cloud infrastructure.

Enforce context-aware access policies that restrict cloud console and API access to managed devices on corporate networks or through verified VPN connections.

BleepingComputer, TechRadar, Cybersecurity Dive, The Register, Hackread, CSO Online, CBC News, The Globe and Mail, CloudTweaks, Breached.Company, Bitdefender, SafeState, Prism News, MobileSyrup, Bloomberg, Yahoo Finance, Google Cloud Blog (Mandiant), FINRA, UpGuard, The Hacker News, Resecurity, Obsidian Security, LevelBlue, DataBreaches.Net, CPO Magazine, Outsource Accelerator, Simply Wall St, Wikipedia