Telus Digital Confirms Massive Data Breach: ShinyHunters Claims 1 Petabyte Stolen via Salesloft Credential Chain

There’s a reason the cybersecurity industry keeps warning companies about supply chain security. And then there’s a reason those warnings keep getting ignored. The Telus Digital breach — one of the largest BPO (business process outsourcing) breaches ever confirmed — is exactly what happens when a credential slips through the cracks of one breach, only to be picked up by attackers and used to unlock an entirely different company months later.

In March 2026, Telus Digital — the digital services and outsourcing arm of Canadian telecom giant Telus — confirmed what researchers and journalists had been pressing them about since January: they had been breached. ShinyHunters, the prolific hacking group behind dozens of high-profile incidents, claimed responsibility. Their stated haul? Nearly 1 petabyte of data. To put that in perspective, 1 petabyte is roughly equivalent to 500 billion pages of standard printed text, or the entire Library of Congress digitized about 500 times over. Even if the actual figure is overstated — as extortion actors sometimes do — the breach has already been described by security researchers as one of the most significant BPO compromises in recent memory.

The attack didn’t start at Telus. It started at Salesloft.

What Happened: The Fast Version

ShinyHunters broke into Telus Digital’s Google Cloud Platform (GCP) environment using credentials that had been sitting in data stolen from Salesloft and its subsidiary Drift — a sales engagement and conversational marketing platform. That earlier Salesloft/Drift breach had already been bad: attackers pulled Salesforce data belonging to 760 companies, including customer support tickets, API keys, and — critically — authentication tokens and service account credentials used by Telus Digital for its GCP infrastructure.

What makes this attack remarkable is the methodology. After exfiltrating the Salesloft/Drift data, the attackers didn’t just use it for its surface-level value. They ran it through TruffleHog, an open-source tool designed to find secrets and credentials embedded in data. TruffleHog found Telus GCP credentials baked into the stolen dataset. Those credentials became the pivot point into Telus Digital’s systems.

Once inside, they didn’t leave quickly. They exfiltrated a claimed petabyte of data including:

  • Customer support agent performance rankings
  • Fraud detection tool configurations and data
  • FBI background check records on support agents
  • Financial records and billing information
  • Recorded support calls (voice audio)
  • Call metadata (timestamps, durations, agent IDs, customer IDs)

ShinyHunters also claims 28 well-known companies beyond Telus were affected — names they’ve withheld, presumably as leverage. Telus refused to negotiate with them. As of March 2026, the investigation is ongoing, cyber forensics experts are engaged, and law enforcement has been notified.

Let’s unpack every piece of this.

Who Is Telus Digital — and Why Does It Matter?

If you’ve ever called a major company’s customer support line, had a billing dispute resolved, or interacted with an AI chatbot on a retail site, there’s a reasonable chance that interaction was handled by a BPO provider — even if the branding suggested otherwise. That’s the BPO business model: companies outsource customer-facing operations to specialists who run the infrastructure, the agents, the training, and increasingly, the AI tools.

Telus Digital is one of the largest BPO and digital services providers in the world. It’s the outsourcing arm of Telus Corporation — Canada’s second-largest telecom company, with over 17 million customer connections and annual revenues north of $18 billion CAD. Telus Digital specifically handles:

  • Customer experience (CX) operations — the actual agents answering phones, live chats, and emails on behalf of other companies
  • Digital transformation services — helping companies move their customer service infrastructure to cloud platforms
  • AI and automation tools — deploying machine learning for things like fraud detection, call routing, and customer intent recognition
  • Trust and safety operations — content moderation, identity verification, and regulatory compliance tooling for tech platforms
  • Healthcare information services — managing sensitive patient-facing functions for healthcare providers

Telus Digital operates in over 30 countries, employs tens of thousands of agents, and serves clients across fintech, healthcare, telecommunications, e-commerce, and government. That last point is worth sitting with: government-adjacent services. Among the data stolen were FBI background check records — a standard requirement for agents handling sensitive customer accounts in regulated industries. The fact that those records were sitting in a Telus Digital cloud environment tells you something about the scope of data these BPO providers accumulate.

This is the core problem with BPO breaches: when you outsource operations to a provider, you’re not just giving them a script and a phone line. You’re giving them access to your customer data, your authentication systems, your CRM records, your fraud tools, and in some cases your compliance documentation. A BPO provider that handles 50 companies is essentially a master key to 50 different companies’ customer infrastructure. Attackers understand this. Target one, get fifty.

The BPO Attack Surface Problem

Most large enterprises have robust security programs. Their core systems — the databases, the customer-facing APIs, the financial infrastructure — are hardened. But when they outsource operations to a BPO, the security posture of that third party often isn’t held to the same standard. The access credentials granted to the BPO provider for legitimate operations are often long-lived, broad in scope, and — as we’re about to see — sometimes stored carelessly in tools and datasets that create unintended exposure.

This isn’t unique to Telus Digital. It’s an industry-wide structural weakness. The Telus Digital breach is the latest and most dramatic proof of concept that BPO providers are priority targets for sophisticated threat actors.

Who Are ShinyHunters?

ShinyHunters is one of the most prolific and recognizable threat actor groups in the cybercrime ecosystem. They emerged into public consciousness around 2020 with a string of high-profile breaches — Tokopedia (91 million records), Wishbone (40 million records), Microsoft’s GitHub repositories, and dozens of others. By 2021, they were linked to breaches of AT&T (70 million records sold), Ticketmaster (560 million records), Santander Bank, Advance Auto Parts, and numerous others.

What distinguishes ShinyHunters from run-of-the-mill data thieves is their methodology and business model:

They Target the Ecosystem, Not Just the Target

Rather than going directly after large, well-defended enterprises, ShinyHunters frequently exploit connected systems — third-party services, SaaS tools, cloud integrations — that have legitimate access to enterprise data but often have weaker security posture. The Telus Digital attack is a textbook example: they didn’t attack Telus directly. They found a side door through a SaaS platform (Salesloft/Drift) that held credentials for Telus’s cloud environment.

They Monetize Systematically

ShinyHunters doesn’t just steal data and dump it. They operate with a deliberate monetization strategy:

  1. Identify high-value data in the exfiltrated set
  2. Approach the victim with an extortion demand before any public disclosure
  3. If extortion fails, sell the data on criminal forums or leak portions publicly to pressure payment
  4. Repeat with other victims whose credentials were found in the same dataset

This model is why the group claims 28 companies are affected by the Telus Digital incident. Each of those 28 companies is presumably either in an active extortion conversation, has paid, or is about to be contacted. The data is the leverage, and ShinyHunters holds it until they’ve exhausted the financial yield.

Their Track Record

The group’s most significant confirmed breaches as of 2026 include:

  • AT&T (2021/2024) — 70+ million customer records exposed, including Social Security Numbers and encrypted PINs
  • Ticketmaster (2024) — 560 million records including payment card data for 500+ million customers (claimed as part of a broader Snowflake credential attack)
  • Santander Bank (2024) — customer and employee data across multiple countries
  • Advance Auto Parts (2024) — 380 million customer records including sensitive employment data
  • QuoteWizard/LendingTree (2024) — voter registration data and financial records
  • Telus Digital (2025-2026) — the current incident, claimed ~1 petabyte

The 2024 wave of ShinyHunters breaches was particularly notable because many of them exploited a similar pattern to the current Telus attack: credentials found in misconfigured cloud storage or third-party SaaS platforms were used to pivot into Snowflake environments belonging to multiple enterprise customers. The Telus attack suggests they’ve refined and iterated on that playbook.

Several individuals associated with ShinyHunters have faced law enforcement action. In 2022, a French national named Sébastien Raoult was arrested in Morocco and extradited to the United States, ultimately pleading guilty to wire fraud and aggravated identity theft charges related to ShinyHunters activity. Despite arrests, the core group remains operational — either through new members, a distributed cell structure, or simply because attribution in cybercrime is never fully clean.

The Attack Chain: How One Breach Becomes Two (or Twenty-Eight)

This is the part of the story that deserves the most attention, because it’s not just a “Telus got hacked” story. It’s a story about how credential data from one breach becomes the entry point for entirely different breaches months or years later. Security professionals call this credential chaining or a supply chain credential attack. Here’s exactly how it played out.

Step 1: The Salesloft / Drift Breach

Salesloft is a sales engagement platform used by tens of thousands of companies to manage outbound sales, customer communications, email sequences, and CRM integrations. In 2023, Salesloft acquired Drift, a conversational AI and marketing platform that helps companies run chatbots, track visitor behavior, and manage inbound sales conversations.

At some point prior to the Telus Digital incident (the exact timeline of the Salesloft/Drift breach hasn’t been fully disclosed), attackers compromised Salesloft’s infrastructure and downloaded Salesforce data belonging to approximately 760 companies. This data included:

  • Customer support tickets
  • CRM records (contacts, accounts, deal data)
  • Email correspondence
  • API keys and integration tokens stored within Salesforce or Drift configurations
  • Service account credentials used for platform-to-platform integrations

This last category is where things get dangerous. Modern SaaS platforms like Salesloft and Drift don’t operate in isolation — they’re integrated with dozens of other tools: CRMs, data warehouses, cloud storage buckets, customer data platforms. To make those integrations work, companies paste API keys and service account credentials into configuration fields. Those credentials get stored in the SaaS platform’s database. When that database is breached, the credentials go with it.

Mandiant (Google’s threat intelligence and incident response arm) confirmed that credentials and tokens found in the Salesloft/Drift breach data were subsequently used to access additional platforms. That’s a significant detail: an established, credible incident response firm confirming the credential pivot. This wasn’t speculation — it was documented forensic finding.

Step 2: TruffleHog Does the Heavy Lifting

After exfiltrating the Salesloft/Drift dataset, ShinyHunters turned to one of the most powerful and widely-used open-source secrets scanning tools in existence: TruffleHog.

TruffleHog was originally created to help developers find accidentally committed secrets in their own codebases and version control history. It works by scanning text data for patterns that match the format of known credential types — AWS access keys, GCP service account JSON blobs, API keys for hundreds of platforms, database connection strings, OAuth tokens, and more. It uses both regex-based detection and entropy analysis (looking for randomized strings that don’t look like normal text) to find things that shouldn’t be public.

Defenders use TruffleHog to audit their own systems. Attackers use TruffleHog to mine stolen data.

When ShinyHunters ran TruffleHog against the Salesloft/Drift exfiltrated dataset, it returned hits — including Google Cloud Platform service account credentials belonging to Telus Digital. These credentials had been stored in one of the 760 companies’ Salesforce or Drift configurations, almost certainly as part of a legitimate integration. Telus Digital runs its BPO operations heavily on GCP; service account credentials for accessing Cloud Storage buckets, BigQuery datasets, or other GCP services would be routine parts of customer integrations.

The credentials were valid. And ShinyHunters used them.

Step 3: The GCP Pivot

With valid GCP credentials in hand, ShinyHunters authenticated into Telus Digital’s Google Cloud environment. From that initial foothold, they:

  1. Enumerated the GCP environment — mapping what projects existed, what services were running, what data was accessible with the compromised credentials
  2. Escalated access — either through misconfigured IAM (Identity and Access Management) permissions, additional credentials found during the enumeration, or exploitation of GCP service relationships
  3. Identified high-value data stores — including cloud storage buckets containing call recordings, BigQuery datasets with operational analytics, and whatever systems housed the FBI background check records and fraud tooling data
  4. Exfiltrated at scale — ShinyHunters claims nearly 1 petabyte of data was ultimately stolen

The volume of the claimed exfiltration — 1 petabyte — is extraordinary and worth examining critically. Cloud storage egress costs money, even when it’s billed to the victim’s account (which it likely was during the attack). Moving a petabyte of data through GCP egress would be expensive and would generate substantial log noise. Either Telus Digital’s cloud monitoring was not configured to alert on anomalous egress, the data was staged within GCP in a way that reduced observable egress costs, or the 1 petabyte figure is inflated for extortion leverage. Security researchers lean toward some combination of all three.

What isn’t in dispute: significant data was stolen. The specificity of what ShinyHunters has shown to media outlets and what Telus has acknowledged investigating makes clear that this was a real, substantial breach — even if the exact volume is contested.

Step 4: Running TruffleHog Again

Here’s where the attack compounds in a way that should terrify every security team reading this. After gaining access to Telus Digital’s GCP environment, ShinyHunters reportedly ran TruffleHog again — this time against the Telus data itself.

Because Telus Digital is a BPO provider serving dozens of enterprise clients, its internal data likely contains integration credentials, API keys, and service account tokens for those client companies’ systems. A company that processes customer support for 50 enterprise clients probably has credentials or tokens that touch those clients’ systems in some form.

If TruffleHog found additional valid credentials in the Telus data — for the 28 other companies ShinyHunters claims are affected — then the group now holds a keychain that unlocks not just Telus, but a significant number of Telus’s clients. This is the recursive nightmare of BPO breaches, and it’s why ShinyHunters’ claim of 28 affected companies is plausible and deeply concerning.

What Data Was Stolen

Based on what ShinyHunters has shared with media and security researchers, and what Telus’s investigation has surfaced, the stolen data falls into several categories:

Customer Support Agent Records

This includes performance rankings, quality scores, individual agent identifiers, and operational metrics. In the BPO world, agent performance data is highly sensitive — it’s used for pay decisions, advancement, and client reporting. In the wrong hands, it’s also a targeting resource: you know which agents handle high-value accounts, which have lower performance scores (potentially indicating disengagement), and which handle sensitive verticals like healthcare or financial services.

FBI Background Check Data

This is among the most alarming elements of the breach. In industries like finance, healthcare, and government contracting, companies that handle sensitive customer data are required to ensure their support agents pass background checks. FBI background checks for employees contain:

  • Full legal name, aliases, and date of birth
  • Social Security Numbers or equivalent national identifiers
  • Criminal history records (if any)
  • Prior employment and residency history
  • Fingerprint records in some cases

This data, in the hands of ShinyHunters, is immediately usable for identity theft, targeted social engineering, or coercion of individual agents. If an agent has a criminal record they’ve kept private, or personal history that could embarrass them, that’s leverage. This is not hypothetical — criminal organizations routinely try to recruit or coerce insider threats within BPO organizations.

Fraud Detection Tools and Configurations

The exfiltration of fraud detection tooling is particularly insidious. Companies invest heavily in fraud detection systems — the rules, machine learning models, and heuristics that flag suspicious transactions or account behavior. When those configurations are stolen, attackers learn exactly what behaviors trigger fraud alerts. They learn the thresholds, the detection logic, the edge cases. They can tune their own malicious activity to fly under the radar.

For every company whose fraud tooling was exposed through this breach, the immediate concern is that their fraud detection capability has been compromised — attackers now know how to evade it.

Voice Recordings of Support Calls

This is a privacy nightmare of the first order. Customer support calls frequently contain:

  • Full names and account numbers
  • Authentication information (security questions, verbal PIN confirmations)
  • Sensitive personal disclosures (medical conditions, financial hardship discussions)
  • Complaint details that could be embarrassing for individuals or companies

Depending on the volume of recordings stolen, ShinyHunters potentially has a searchable audio archive of customer interactions spanning multiple enterprise clients. The secondary uses — voice cloning for deepfake fraud, targeted phishing using real details from recorded conversations, extortion of individuals whose sensitive disclosures were captured — are significant.

Call Metadata

Even without the audio content, call metadata is revealing. Who called, when, how long they talked, which agent handled it, what tier of service they accessed, what the disposition of the call was. This data can be used to identify high-value customers, map account activity patterns, and build profiles suitable for targeted social engineering.

Financial Information

The specifics here haven’t been fully disclosed, but “financial information” in a BPO context could mean anything from customer billing records to internal Telus Digital operational finance data — vendor contracts, cost structures, profit margins. Either category is sensitive; client billing data is directly exploitable, while operational finance data is valuable for corporate espionage or further extortion.

The Extortion Play and Telus’s Response

ShinyHunters reached out to Telus Digital to demand payment in exchange for not publishing or selling the data. Telus’s response: no negotiation.

This is the recommended posture from law enforcement and cybersecurity incident response professionals. Paying ransoms and extortion demands:

  1. Doesn’t guarantee data deletion — criminals aren’t bound by agreements, and “we deleted it” is unverifiable
  2. Funds future attacks — your payment goes directly to funding the group’s next campaign
  3. Makes you a target for follow-up demands — paying once signals willingness to pay again
  4. May violate sanctions — depending on the group’s nationality and designation, paying could expose the victim company to legal risk

Telus’s public statement, issued after BleepingComputer’s reporting forced their hand, was characteristically measured: “investigating a cybersecurity incident involving unauthorized access to a limited number of our systems.” The phrase “limited number of systems” is a common corporate formulation that says technically true things while minimizing the perceived scope. Whether the scope was truly limited or whether that phrasing will age poorly remains to be seen.

Telus also stated that operations remain fully operational and that there has been no customer connectivity disruption. This is consistent with data theft attacks rather than ransomware: the attackers’ goal was exfiltration, not disruption. They want the data, not chaos — chaos draws law enforcement attention too quickly.

The Months-Long Gap

One detail that deserves scrutiny: BleepingComputer first contacted Telus about this breach in January 2026. Telus didn’t confirm the breach until March 2026 — roughly two months later. Two months during which:

  • Affected individuals had no opportunity to take protective action
  • Companies whose credentials may have been exposed via the BPO chain had no formal notification
  • ShinyHunters was continuing to leverage the data for extortion negotiations

This disclosure timeline is unfortunately common but not acceptable. The gap between detection (or credible third-party notification) and public confirmation exposes exactly the kind of harm that breach notification regulations are designed to prevent. If any of the 28 affected companies or their customers were in regulated industries, mandatory notification timelines may have been violated.

The 28 Companies: What We Know and Don’t Know

ShinyHunters claims that beyond Telus Digital itself, 28 well-known companies have data exposed in this incident. They’ve withheld the names — again, presumably as leverage in ongoing extortion negotiations.

What we can infer:

They are likely Telus Digital clients. Given the attack vector (GCP credentials found in Salesloft/Drift, used to access Telus’s cloud environment, TruffleHog run again on Telus data), the 28 affected companies are almost certainly companies for whom Telus Digital was providing outsourced services. Their data was in Telus’s environment because Telus was handling their customer operations.

“Well-known” is doing work here. ShinyHunters has an incentive to describe affected companies as notable — it increases media attention and extortion pressure. But Telus Digital’s actual client list includes major enterprises in telecom, financial services, and technology, so the claim is plausible.

Some may have already been notified privately. Telus Digital has a legal and contractual obligation to notify clients whose data was affected. Those notifications may be happening through private channels while the public disclosure is limited to Telus’s own acknowledgment.

The affected companies don’t know their fraud tools are compromised. Unless they’ve been specifically told what data was exfiltrated, affected companies may not know that ShinyHunters now understands their fraud detection logic, has their customer recordings, or holds credentials that could still be active.

How Long Did Telus Not Know?

This is one of the most important forensic questions in any breach investigation: when did the attacker first gain access, and how long did they operate before detection?

The timeline suggests:

  • The Salesloft/Drift breach occurred and credential data was exfiltrated (exact date not publicly confirmed)
  • ShinyHunters ran TruffleHog on the Salesloft data and identified Telus GCP credentials (unknown date)
  • Initial access to Telus GCP environment (unknown date)
  • Data exfiltration begins and continues (unknown duration)
  • ShinyHunters contacts Telus with extortion demand (prior to January 2026)
  • BleepingComputer contacts Telus in January 2026
  • Telus confirms breach in March 2026

The gap between the extortion contact and the public confirmation implies Telus knew about the breach — or had strong reason to investigate — months before making any public statement. The duration of undetected attacker access within the GCP environment could span weeks to months.

Extended dwell time matters because it determines what the attackers were able to do beyond simple exfiltration. With months of access to a cloud environment, sophisticated actors can:

  • Map the full infrastructure to identify additional pivot points
  • Plant backdoors for persistent access post-remediation
  • Identify and exfiltrate data gradually to avoid triggering volume-based alerts
  • Gain familiarity with internal tooling that aids future attacks against the same clients

Why This Attack Worked: The Technical Breakdown

Let’s be specific about the failure modes, because “credential theft” is too abstract to be actionable.

Failure Mode 1: Credentials in SaaS Platform Configurations

Telus Digital (or a client whose data was in the Salesloft/Drift environment) stored GCP service account credentials in a way that made them accessible within the Salesloft/Drift data. This could have been:

  • A GCP service account JSON key file pasted into a Salesforce note or Drift configuration
  • An API key for a GCP service stored as a Salesforce custom field
  • Integration credentials stored in Drift’s platform configuration
  • A support ticket attachment containing credential files

The root cause: credentials should never be stored in SaaS platforms. Use secrets management services (GCP Secret Manager, HashiCorp Vault, AWS Secrets Manager) and reference credentials by pointer, never by value. If credentials must be configured in SaaS platforms, use short-lived tokens that expire, not long-lived service account keys.

Failure Mode 2: Long-Lived GCP Service Account Keys

GCP service account keys, when created, are valid indefinitely unless explicitly rotated or revoked. If the credentials found in the Salesloft data were months or years old and had never been rotated, they remained valid when ShinyHunters attempted to use them. A credential rotation policy — especially one that automatically rotates keys on a schedule and alerts on inactive key usage — would have caught or prevented this pivot.

Failure Mode 3: Excessive IAM Permissions

Getting in the door via a service account key doesn’t automatically grant access to 1 petabyte of data. That access requires either that the service account had very broad permissions (violating the principle of least privilege) or that the attackers were able to escalate their permissions once inside.

GCP IAM, like AWS IAM, supports highly granular permissions. A service account used for a specific integration (say, writing logs to a Cloud Storage bucket) should have only the permissions needed for that integration — write access to that specific bucket, nothing else. If the compromised service account had broad project-level permissions or access to sensitive data stores beyond its original purpose, that’s an IAM hygiene failure.

Failure Mode 4: No Anomalous Egress Detection

Moving a petabyte of data out of GCP generates egress costs and creates log entries. Cloud-native security tools like Google Cloud’s Security Command Center, or third-party CSPM (Cloud Security Posture Management) tools, can alert on anomalous egress patterns. The fact that the exfiltration apparently proceeded without triggering a response suggests either:

  • Monitoring wasn’t configured to alert on egress volume
  • Alerts fired but weren’t acted on
  • The exfiltration was staged or slow enough to evade threshold-based alerts

Failure Mode 5: No TruffleHog Equivalent on Their Own Systems

One of the most effective defenses against credential theft attacks is running secrets scanning tools against your own data and infrastructure before attackers do. If Telus Digital had run TruffleHog (or a commercial equivalent like GitGuardian or Nightfall) across their GCP environment and any connected SaaS platforms, they might have found the same credentials that ended up in the Salesloft data and rotated them proactively.

What This Means For You

The Telus Digital breach isn’t just a corporate security story. Depending on who you are, it has direct implications for your data, your money, and your security posture.

If You’re a Consumer Who Used a Service Telus Supports

You may not know which companies outsource their customer support to Telus Digital — that’s by design; BPO providers operate under their clients’ branding. But if your call was ever recorded by a major company in telecom, financial services, or healthcare, and that company used Telus Digital, your voice recording may be in this dataset.

What that means practically:

  • Your voice can be cloned. Modern voice cloning tools require surprisingly short samples to produce convincing fakes. A recorded support call — where you may have verified your identity, described your problem, perhaps mentioned sensitive personal details — is a rich source for voice cloning for fraud or impersonation.

  • Your support ticket history is potentially exposed. If you ever discussed a billing dispute, a health question, or a financial hardship with a support agent, that context may now exist in ShinyHunters’ possession.

  • Your account identifiers were likely in the call metadata. Account numbers, verification codes spoken over the phone, even the topics of your calls — all potentially captured.

There’s limited action a consumer can take when a breach like this occurs, but some steps are meaningful:

  1. Place a credit freeze with all three major credit bureaus (Experian, Equifax, TransUnion) if you haven’t already. This is good hygiene regardless of any specific breach.
  2. Enable voice biometric protection where offered by your bank or financial institution. Some institutions allow you to require that account changes be confirmed via a registered voice sample — update this if your voice may have been cloned.
  3. Be skeptical of inbound calls claiming to be from companies you do business with. With stolen call metadata, attackers know who you’re a customer of and when you typically interact with support — that information makes spoofed calls more convincing.
  4. Watch for targeted phishing that references specific details from past support interactions. Legitimate companies don’t send emails saying “regarding your call on [specific date] about [specific topic]” — if you receive something that specific and unexpected, treat it as phishing.

If You’re a Security Professional

The Telus Digital attack should prompt an immediate audit of:

  • Credential exposure in SaaS platforms — run TruffleHog or equivalent against your Salesforce orgs, CRM systems, ticketing platforms, and any SaaS tool that has stored credentials for other systems. The credentials ShinyHunters found in Salesloft data are not unique; this is a widespread problem.

  • GCP/AWS/Azure IAM hygiene — audit service account permissions. Every service account that exists should be documented, should have its permissions reviewed, and should be operating under least-privilege. Long-lived keys should be rotated. Inactive keys should be revoked.

  • Third-party BPO and vendor access — if you’ve granted cloud access credentials to a BPO provider or any third-party vendor, audit what permissions those credentials carry and whether they’ve been rotated recently. If your BPO provider was breached, assume your credentials are compromised until proven otherwise.

  • Egress monitoring — configure cloud-native or third-party tooling to alert on anomalous data egress. Define what “normal” egress looks like for your environment and alert aggressively on deviations.

  • Mandiant’s confirmation is a signal — Mandiant confirmed that Salesloft/Drift breach credentials were used to access additional platforms. If your company used Salesloft or Drift and had integration credentials in that environment, treat your credentials as compromised. Rotate now. Audit access logs for anomalous activity.

If You Work for a Company That Uses BPO Services

Your BPO provider may hold credentials for your systems. You may not know exactly what credentials they have or how they’ve stored them. Now is the time to find out.

  1. Inventory all third-party access to your cloud environments. Run a comprehensive audit of who has credentials, what those credentials can access, and when they were last used.
  2. Contact your BPO providers directly and ask specifically whether they’ve been affected by this incident or aware of any credential exposure related to their GCP or other cloud environments.
  3. Review your BPO contracts — specifically data handling, security incident notification, and credential management clauses. If your contract doesn’t require prompt breach notification (within 24-48 hours of discovery), renegotiate.
  4. Assess your fraud detection tooling exposure — if your fraud logic was accessible through a BPO provider, assume it’s compromised and begin rotating detection rules, thresholds, and model configurations.

Actionable Advice: The Full Checklist

For organizations that want to protect themselves against this class of attack going forward:

Immediate Actions (Do This Week)

  • Run TruffleHog (or GitGuardian / Nightfall) against your Salesforce org, CRM, ticketing systems, Slack/Teams workspaces, and any SaaS platform that might contain credentials
  • Audit GCP/AWS/Azure service account keys — identify all active long-lived keys, who created them, when they were last rotated, and what permissions they carry
  • Revoke unused credentials — any service account that hasn’t been used in 30+ days should have its keys revoked immediately
  • Check Salesloft/Drift and Salesforce access logs — if your company used these platforms, audit who accessed your data and whether anything was exported in the relevant timeframe
  • Verify your BPO provider’s status — ask directly whether they’re aware of any credential exposure; don’t wait for them to call you

Medium-Term Actions (This Quarter)

  • Migrate to short-lived credentials — transition service-to-service integrations from long-lived API keys to Workload Identity Federation, OAuth 2.0 with short-lived tokens, or equivalent mechanisms that don’t involve persistent secrets
  • Implement secrets management — deploy HashiCorp Vault, AWS Secrets Manager, GCP Secret Manager, or equivalent; prohibit storage of credentials in SaaS platforms, configuration files, or documentation
  • Configure egress alerts in your cloud environments — establish baselines and alert on deviations, especially for storage read operations and large data transfers
  • Review and tighten IAM policies — implement least-privilege for all service accounts; remove wildcard permissions; use specific resource-level policies where available
  • Add credential exposure to vendor questionnaires — when onboarding BPO providers or other third parties with system access, require evidence of secrets management practices and credential rotation policies

Structural Changes (This Year)

  • Adopt a Zero Trust architecture — assume breach, verify every access request, don’t rely on network perimeter controls for cloud resources
  • Require breach notification SLAs in all vendor contracts — 24-48 hour notification requirements for any incident involving your data or credentials
  • Implement CSPM (Cloud Security Posture Management) — continuous monitoring of cloud configurations for drift from security baselines
  • Run tabletop exercises specifically for BPO breach scenarios — war-game what happens if your BPO provider is compromised and what data they hold on your behalf
  • Encrypt sensitive data at rest with customer-managed keys — data in cloud storage and databases that’s encrypted with keys you control cannot be read by an attacker who only has GCP access credentials

The Bigger Picture: BPO Breaches Are the New Supply Chain Attack

For years, the “supply chain attack” narrative in cybersecurity focused on software — malicious code inserted into open-source libraries (Log4Shell), compromised build pipelines (SolarWinds), tampered software updates (Kaseya). The Telus Digital breach represents the maturation of a different supply chain attack model: service provider credential chaining.

The chain in this case was:

Salesloft/Drift (SaaS platform) → Telus Digital (BPO provider) → 28 enterprise clients

Each link in that chain held credentials or data that unlocked the next link. No software vulnerability was exploited. No zero-day was required. The entire attack was built on:

  1. Legitimate credentials that had been stored carelessly
  2. A scanning tool (TruffleHog) that’s free and open-source
  3. The architectural reality that modern enterprises are deeply interconnected through service provider relationships

This attack model is cheap, scalable, and brutally effective. And it will be repeated — against other BPO providers, SaaS platforms, managed service providers, and IT outsourcers — until the industry fundamentally changes how it handles credentials in shared environments.

The lesson isn’t “don’t use BPO providers” or “don’t use SaaS platforms.” The lesson is that every credential you hand to a third party is a potential attack vector, and you are responsible for understanding where those credentials live, what they can access, and when they need to be rotated. Your third-party security posture is part of your security posture, whether your compliance framework says so or not.

The Investigation and What Comes Next

Telus Digital has confirmed they’ve engaged cyber forensics experts and are working with law enforcement. The investigation is ongoing as of March 2026.

What to watch for in the coming weeks and months:

Breach notification letters: If Telus Digital’s investigation confirms that consumer data (the recordings, background checks, financial records) was exposed, mandatory breach notification requirements under Canadian PIPEDA (Personal Information Protection and Electronic Documents Act), US state breach notification laws, and potentially EU GDPR (if European customers were involved) will require formal notifications to affected individuals.

Client disclosures: The 28 affected companies will eventually be identified, either through Telus’s disclosures, ShinyHunters leaking data publicly, or investigative reporting. Watch for security advisories from large enterprises in the BPO-adjacent sectors.

Regulatory scrutiny: Canadian privacy regulators, and potentially US and EU counterparts depending on client nationality, will be examining Telus Digital’s security practices. The months-long gap between breach detection and public disclosure will be a focus.

ShinyHunters’ next move: If extortion negotiations have failed — and Telus’s “no negotiation” posture suggests they have — expect ShinyHunters to either sell the data on criminal forums or leak portions of it publicly. The 28 companies are likely the current leverage point; their identities may surface as pressure tactics.

The credential secondary market: Even before any public leak, credentials found via TruffleHog in the Telus data may already be circulating in closed criminal forums. Organizations should assume the worst and rotate accordingly.

Final Thoughts

The Telus Digital breach is a case study in how interconnected our digital infrastructure has become — and how catastrophically that interconnection can fail when the most basic security hygiene is neglected. A credential stored in a SaaS platform, in a company that was breached by someone else, became the key to 1 petabyte of data belonging to a Canadian BPO giant and potentially 28 of its enterprise clients.

No advanced exploit. No zero-day. One open-source tool and one careless credential storage decision.

The attackers — ShinyHunters — aren’t remarkable for their technical sophistication. They’re remarkable for their patience, their systematic thinking, and their understanding that the most valuable data often sits not in well-defended enterprise cores, but in the interconnected web of service providers, SaaS platforms, and outsourced operations that make modern businesses function.

Defending against this class of attack isn’t glamorous. It’s inventory work, IAM audits, credential rotation policies, and vendor contract reviews. It’s running TruffleHog against your own systems before the attackers do. It’s asking uncomfortable questions of your BPO providers about how they store your credentials and what they’d do if they were breached.

It’s also, increasingly, not optional.

The groups who will continue to be victimized by credential chaining attacks are the ones who treat third-party security as someone else’s problem. In the Telus Digital chain, every link assumed the previous link was secure. None of them were auditing the other. That assumption — multiplied across thousands of similar service provider relationships — is the real vulnerability.

Breached.Company covers data breaches, cybersecurity incidents, and the stories behind them. We believe accurate, detailed reporting is a public service — because you can’t protect yourself from threats you don’t understand.

If you have information about this breach or others, contact us securely via the methods listed on our About page.