Telus Digital confirms breach after hacker claims 1 petabyte data theft

bleepingcomputer.com · gnabgib · 5 hours ago · view on HN · threat
0 net
Tags
google info-disclosure malware microsoft phishing
Telus Digital confirms breach after hacker claims 1 petabyte data theft Home News Security Telus Digital confirms breach after hacker claims 1 petabyte data theft Telus Digital confirms breach after hacker claims 1 petabyte data theft By Lawrence Abrams March 12, 2026 10:40 AM 0 Canadian business process outsourcing giant Telus Digital has confirmed it suffered a security incident after threat actors claimed to have stolen nearly 1 petabyte of data from the company in a multi-month breach. Telus Digital is the digital services and business process outsourcing (BPO) arm of Canadian telecommunications provider Telus, providing customer support, content moderation, AI data services, and other outsourced operational services to companies worldwide. Because BPO providers often handle customer support, billing, and internal authentication tools for multiple companies, they can become attractive targets for threat actors seeking access to large amounts of customer and corporate data through a single breach. The breach was carried out by threat actors known as ShinyHunters, who claims to have stolen a wide range of customer data related to Telus' BPO operations, as well as call records for Telus' consumer telecommunications division. BleepingComputer was told in January that Telus had suffered a breach and contacted the company with questions, but did not receive a response to our emails at that time. Yesterday, Telus confirmed that it suffered a breach, stating that it is currently investigating what was stolen and which customers were affected. "TELUS Digital is investigating a cybersecurity incident involving unauthorized access to a limited number of our systems. Upon discovery, we took immediate steps to address the unauthorized activity and secure our systems against further intrusion. We are actively managing the situation and continue to monitor it closely," Telus told BleepingComputer. "All business operations within TELUS Digital remain fully operational, and there is no evidence of disruption to customer connectivity or services. As part of our response, we have engaged leading cyber forensics experts to support our investigation, and we are working with law enforcement. " "We have implemented additional security measures to further safeguard our systems and environment. As our investigation progresses, we are notifying any impacted customers, as appropriate. The security of our customers' information continues to be our highest priority." A source told BleepingComputer last week that ShinyHunters were extorting the company, but Telus was not engaging with the threat actors. Hacker claims to steal almost 1 petabyte of data After learning that Telus was not negotiating with ShinyHunters, BleepingComputer contacted the threat actors with questions about the breach. According to ShinyHunters, they breached Telus using Google Cloud Platform credentials discovered in data stolen during the Salesloft Drift breach. In the Salesloft Drift breach , threat actors downloaded Salesforce data for 760 companies, including customer support tickets. These support cases were scanned for credentials, authentication tokens, and other secrets, which Mandiant reports were used to breach additional platforms. ShinyHunters says that they discovered Google Cloud Platform credentials for Telus in the Drift data and used them to access numerous company systems, including a large BigQuery instance. After downloading this data, the threat actors said they used the cybersecurity tool trufflehog to search within it for additional credentials that allowed them to pivot into other Telus systems and download further data. In all, ShinyHunters claims to have stolen close to 1 petabyte of data belonging to the company and many of its customers, many of whom use Telus Digital as a BPO provider for customer support operations. BleepingComputer has not been able to independently confirm the total size of the stolen data. The threat actor shared the names of 28 well-known companies allegedly impacted by the breach. However, BleepingComputer will not disclose the names of these companies, as we have been unable to independently confirm whether they were impacted. The threat actor says that much of the data for these customers relates to BPO services provided by Telus Digital, including customer support and call center outsourcing, agent performance ratings, AI-powered customer support tools, fraud detection and prevention, and content moderation solutions. However, they also claim to have stolen source code, FBI background checks, financial information, Salesforce data, and voice recordings of support calls for various companies. The breach also reportedly impacts Telus' telecommunication services, including its consumer fixed-line business. The stolen data for these services allegedly includes detailed call records, voice recordings, and campaign data. Sample of the call data records seen by BleepingComputer include a call's time, duration, number from, number to, and other metadata, such as for call quality. Overall, based on text files describing the attack reviewed by BleepingComputer, the types of stolen data appear to vary widely between companies, with many different business functions exposed. ShinyHunters said they began extorting Telus in February, demanding $65 million in exchange for not leaking the company's data, but Telus did not respond to their emails. If Telus shares further confirmation on what was stolen, we will update this story. Who is ShinyHunters While the name ShinyHunter has long been associated with numerous people and data breaches , the current ShinyHunters extortion gang has been one of the most prolific threat actors targeting companies worldwide this year in data theft attacks. Primarily focusing on stealing data from Salesforce and other cloud SaaS environments, the threat actors are responsible for a large number of breaches, including Google , Cisco , PornHub , and online dating giant Match Group . More recently, threat actors have been conducting voice phishing (vishing) attacks targeting Okta, Microsoft, and Google single sign-on (SSO) accounts . They call employees impersonating IT support staff and trick them into entering credentials and multi-factor authentication (MFA) codes on phishing sites. As BleepingComputer first reported, the ShinyHunters group has also recently begun using device code vishing to obtain Microsoft Entra authentication tokens. After stealing their targets' credentials and auth codes, the threat actors hijack the victims' SSO accounts to breach connected enterprise services like Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox. Red Report 2026: Why Ransomware Encryption Dropped 38% Malware is getting smarter. The Red Report 2026 reveals how new threats use math to detect sandboxes and hide in plain sight. Download our analysis of 1.1 million malicious samples to uncover the top 10 techniques and see if your security stack is blinded. Download The Report Related Articles: Olympique Marseille confirms 'attempted' cyberattack after data leak Wynn Resorts confirms employee data breach after extortion threat CarGurus data breach exposes information of 12.4 million accounts Data breach at fintech firm Figure affects nearly 1 million accounts ShinyHunters launches Salesforce data leak site to extort 39 victims BPO Business Process Outsourcing Cyberattack Data Breach ShinyHunters Telus Lawrence Abrams Lawrence Abrams is the owner and Editor in Chief of BleepingComputer.com. Lawrence's area of expertise includes Windows, malware removal, and computer forensics. Lawrence Abrams is a co-author of the Winternals Defragmentation, Recovery, and Administration Field Guide and the technical editor for Rootkits for Dummies. Previous Article Next Article Post a Comment Community Rules You need to login in order to post a comment Not a member yet? Register Now You may also like: Popular Stories Microsoft March 2026 Patch Tuesday fixes 2 zero-days, 79 flaws Medtech giant Stryker offline after Iran-linked wiper malware attack New 'Zombie ZIP' technique lets malware slip past security tools Sponsor Posts Overdue a password health-check? Audit your Active Directory for free Are your loyalty accounts being sold underground? Learn how Flare monitors this. 80% of attacks focus on evasion. Get the Red Report 2026 to test your stack. Login Username Password Remember Me Sign in anonymously Sign in with Twitter Not a member yet? Register Now Reporter Help us understand the problem. What is going on with this comment? Spam Abusive or Harmful Inappropriate content Strong language Other Read our posting guidelinese to learn what content is prohibited. Submitting... SUBMIT
← Back to stories