The Telus Digital data breach, confirmed by the company on March 12, 2026, is a textbook example of how a single compromised credential can unravel an entire enterprise. Telus Digital is the digital services and business process outsourcing arm of Canadian telecommunications provider Telus, handling customer support, content moderation, AI data services, and other outsourced operational work for companies worldwide. The ShinyHunters hacking group claims responsibility, alleging they extracted nearly 1 petabyte of data — roughly 1 million gigabytes — over several months before demanding a $65 million ransom that Telus never paid.
How the Telus Digital Data Breach Actually Happened
The attack chain here is worth understanding in detail, because it did not begin with Telus at all. ShinyHunters told BleepingComputer that the breach originated from Google Cloud Platform credentials discovered inside data stolen during the Salesloft Drift breach — a separate incident in which Salesforce data from 760 companies, including customer support tickets, was compromised. The attackers then used a credential-scanning tool called trufflehog to pivot deeper into Telus systems, eventually reaching a large BigQuery instance. This is a supply-chain attack in its most dangerous form: one vendor’s breach becomes the skeleton key to another.
The Telus Digital data breach is therefore not simply a story about one company failing to protect its perimeter. It is a story about the cascading risk that comes with BPO models, where a single provider holds sensitive operational data for dozens of clients simultaneously. When that provider’s cloud environment is accessible via recycled credentials from an unrelated incident, every client in that ecosystem is exposed at once.
What Data Did ShinyHunters Steal?
The alleged haul is staggering in both scale and sensitivity. ShinyHunters claim to have obtained BPO services data including customer support records, call center agent performance ratings, AI-powered customer support tool outputs, fraud detection data, and content moderation files. Beyond that, samples posted on underground forums reportedly include source code, FBI background checks, financial information, Salesforce data, and voice recordings of support calls. The breach also allegedly affects Telus telecommunications services directly, with detailed call records, voice recordings, and campaign data for the consumer fixed-line business said to be among the stolen files.
Hackers claim the data covers at least 28 well-known companies, though their identities have not been independently verified by journalists, and the full scope remains under active investigation. Reports vary on the exact volume stolen — some cite 700TB, others the near-1PB figure ShinyHunters publicised — and Telus has not confirmed the data details publicly. What Telus has confirmed is that it took immediate steps to secure its systems, that customer connectivity and services were not disrupted, and that it is working with cyber forensics experts and law enforcement while notifying affected customers.
ShinyHunters and the Pattern of High-Stakes Extortion
ShinyHunters is not a new name in cybersecurity circles. The group has previously been linked to breaches affecting Odido, where six million accounts were compromised, as well as incidents involving PornHub and Wynn Resorts. The group’s approach in the Telus Digital data breach follows a familiar playbook: exfiltrate data over an extended period, post proof-of-concept samples on underground forums to establish credibility, then demand a ransom — in this case $65 million — before threatening a full public release. Telus did not respond to the demand, and the extortion campaign reportedly began in February 2026, roughly a month before Telus publicly confirmed the incident.
It is also worth distinguishing this incident from a separate 2023 breach involving Telus International, which affected an AI recruitment platform and impacted 680,000 users, resulting in regulatory fines. These are two distinct events involving different parts of the Telus corporate structure, and conflating them understates the scale of the current crisis.
What Does the Telus Digital Breach Mean for BPO Security?
The BPO sector is structurally vulnerable to exactly this kind of attack. Outsourcing providers aggregate sensitive data from multiple enterprise clients into shared cloud environments, which means the attack surface is enormous and the blast radius of any single breach is multiplied across every client relationship. Unlike a breach at a single-brand company, a BPO incident can expose dozens of organisations simultaneously, each with their own regulatory obligations around customer data, call recordings, and financial records.
The use of trufflehog — a tool designed to find secrets and credentials embedded in code repositories and data dumps — to pivot from one breach into another is a well-documented technique that enterprises have been warned about for years. The Telus Digital data breach demonstrates that warnings alone are insufficient. Cloud credential hygiene, mandatory rotation policies, and monitoring for credential exposure in third-party breach datasets are not optional extras for BPO providers handling this volume and sensitivity of data.
Is this the same as the 2023 Telus International breach?
No. The 2023 incident involved Telus International’s AI recruitment platform and affected approximately 680,000 users, resulting in regulatory fines. The 2026 Telus Digital data breach is a separate incident affecting the BPO and digital services arm of Telus, with a far larger alleged data volume and a different attack vector entirely.
Did Telus pay the $65 million ransom?
Telus did not respond to the ransom demand, according to available reporting. ShinyHunters began their extortion campaign in February 2026, demanding $65 million for not leaking the stolen data. Telus confirmed the breach on March 12, 2026, but has not publicly addressed the ransom demand directly.
How did hackers get into Telus Digital’s systems?
ShinyHunters told BleepingComputer that they obtained Google Cloud Platform credentials from data stolen in the Salesloft Drift breach. They then used the trufflehog credential-scanning tool to find additional credentials and pivot into Telus Digital’s cloud infrastructure, including a large BigQuery instance. The attack is a supply-chain credential reuse incident rather than a direct intrusion.
The Telus Digital data breach should be a forcing function for every BPO provider and their enterprise clients to audit shared cloud environments, enforce strict credential rotation, and monitor for their own data appearing in third-party breach dumps. The lesson here is not that Telus was uniquely careless — it is that the entire BPO model creates concentration risk that attackers are now actively exploiting at scale. One vendor’s leaked credentials became the master key to an estimated petabyte of some of the world’s most sensitive operational data. That is not a Telus problem. That is an industry problem.
This article was written with AI assistance and editorially reviewed.
Source: TechRadar
