TL;DR: ShinyHunters breached Canadian BPO giant TELUS Digital and walked out with nearly 1 petabyte of data: that’s 1,000 terabytes. The haul includes FBI background checks on employees (SSNs, criminal histories), voice recordings of customer service calls, internal source code, financial records, and BPO operations data from 28 client companies. The attackers got in using Google Cloud Platform credentials they found in data from last year’s Salesloft Drift breach. TELUS rejected a $65 million ransom demand. If you’ve called a customer service line in the past few years, there’s a chance your voice and personal details are now in criminal hands.
What Happened
TELUS Digital confirmed on March 12, 2026, that unauthorized actors accessed its internal systems during a multi-month intrusion [1][2]. The company runs customer service, content moderation, and tech support operations for dozens of major brands.
ShinyHunters (the same group behind the Ticketmaster, Match Group, and Betterment breaches) claims they stole nearly 1 petabyte of data. To put that in perspective: that’s roughly 1,000 terabytes, or about 250 million photos [3].
The breach reportedly began in late 2025 and continued undetected for months. ShinyHunters started demanding ransom in February 2026. TELUS didn’t respond to their emails [4].
What Was Stolen
According to ShinyHunters and security researchers who reviewed samples, the stolen data includes [3][4][5]:
- FBI background checks: Full results for TELUS employees, including Social Security numbers and criminal history reports
- Voice recordings: Customer service calls recorded through TELUS call centers
- Source code: Internal software and operational tools
- Financial records: Payroll, accounting, and corporate financial data
- BPO customer data: Information from companies that outsource operations to TELUS Digital
- Salesforce data: CRM records containing customer interaction histories
- Agent performance metrics: Internal ratings and operational analytics
ShinyHunters shared the names of 28 companies allegedly affected. Security reporters couldn’t independently confirm whether those specific companies’ data was compromised [4].
The Breach Supply Chain
Here’s the ugly part: ShinyHunters didn’t hack TELUS directly. They used credentials stolen from someone else entirely.
According to the attackers, they found Google Cloud Platform credentials buried in data from the August 2025 Salesloft Drift breach [4][6]. That breach involved compromised OAuth tokens from Drift’s Salesforce integration, which allowed attackers to steal data from hundreds of companies using the sales chatbot platform.
The attack chain worked like this:
- UNC6395 (the threat actor behind Drift) compromised OAuth tokens in August 2025
- ShinyHunters obtained data from that breach
- They used a tool called trufflehog to scan the stolen data for additional credentials
- Found TELUS Digital’s GCP credentials
- Used those credentials to pivot into TELUS systems
- Spent months downloading nearly 1 petabyte of data
One compromised vendor. One set of credentials. One petabyte of sensitive data walked out the door [6].
The FBI Background Check Problem
FBI background checks are standard for employees at companies handling sensitive operations. Those checks contain exactly what identity thieves want: full names, Social Security numbers, addresses going back years, criminal histories, employment verification [3][5].
If you work in customer service, content moderation, or tech support (and your employer uses a third-party BPO provider) there’s a chance your background check data is now circulating on criminal forums.
TELUS Digital employs thousands of people across North America, Central America, Europe, and Asia. The FBI background checks would cover US employees and potentially contractors with access to US client data.
Your Customer Service Calls
TELUS Digital runs call centers for major brands across multiple industries. When you call a customer service line and hear “this call may be recorded for quality assurance,” it might be recorded by TELUS Digital.
Those recordings can contain:
- Account numbers you read out loud
- SSN verification for identity confirmation
- Medical information discussed with support
- Financial details for billing disputes
- Personal addresses and contact information
If ShinyHunters has voice recordings from TELUS call centers, and they claim they do, that’s audio evidence of sensitive conversations that customers never expected to leave the company that recorded them.
The $65 Million Ransom
ShinyHunters demanded $65 million from TELUS Digital in exchange for not leaking the stolen data [4]. TELUS didn’t respond.
For context: TELUS Corporation (the parent company) reported CAD $20 billion in revenue for 2025. TELUS Digital is the BPO subsidiary. A $65 million ransom is significant but wouldn’t be company-ending.
The company’s statement: “We have engaged leading cyber forensics experts to support our investigation, and we are working with law enforcement.” Standard breach response language [1].
What they haven’t said: whether they’re notifying the 28 companies whose data was allegedly compromised, whether they’re contacting individuals whose FBI background checks were stolen, or what they’re doing about the voice recordings.
ShinyHunters: A Busy 2026
This is just the latest in a string of massive breaches ShinyHunters has claimed this year:
- January 2026: Betterment: 1.4 million users via Okta vishing
- January 2026: Match Group / Bumble: 10 million dating app records
- February 2026: Figure: 967,000 fintech users via phone vishing
- February 2026: CarGurus: 12.4 million auto marketplace users
- March 2026: TELUS Digital: 1 petabyte via supply chain credentials
- March 2026: Crunchyroll: 6.8 million anime subscribers via TELUS credentials
The group has been operating since 2020, responsible for breaches at Tokopedia, Microsoft, Pixlr, and dozens of others. In 2024, they orchestrated the massive Ticketmaster breach affecting 560 million customers [7]. French authorities arrested one member in 2024, but the group keeps operating.
What You Should Do
If you’ve worked for TELUS Digital or a contractor:
- Freeze your credit at Equifax, Experian, and TransUnion immediately
- File an IRS Identity Protection PIN to prevent tax fraud
- Monitor your credit reports for new accounts you didn’t open
- Watch for targeted phishing using your employment details
If you’ve called customer service lines that might use TELUS:
Unfortunately, there’s no easy way to know which companies outsource to TELUS Digital. The companies affected haven’t been publicly confirmed. General advice:
- Be skeptical of calls claiming to be from companies you’ve done business with
- Don’t verify account information to inbound callers: hang up and call back using official numbers
- Monitor accounts for unauthorized access
If TELUS Digital was handling customer service for companies you’ve called, your voice and personal details from those conversations may now be in criminal hands. There’s no way to undo that exposure.
The Supply Chain Problem
This breach shows why supply chain security matters. TELUS Digital didn’t get hacked because of their own security failures. They got hacked because Salesloft’s Drift integration got compromised, and someone at TELUS had credentials stored in that system.
One compromised vendor led to hundreds of companies exposed. One set of credentials in stolen data led to 1 petabyte walking out the door.
Every company you do business with has vendors. Those vendors have vendors. Credentials get shared, stored, forgotten. And groups like ShinyHunters mine stolen data specifically looking for these pivot points.
Until companies treat vendor security as seriously as their own security, until there are real consequences for credential sprawl, expect more breaches exactly like this one.
References
- Cyber Insider: Telus Digital confirms security incident as ShinyHunters claims 1PB data theft (March 2026)
- Globe and Mail: Telus investigating hack of its digital services arm (March 2026)
- Hackread: ShinyHunters Claims 1 Petabyte Data Breach at Telus Digital
- DataBreaches.net: Telus Digital confirms breach after ShinyHunters claims 1 petabyte data theft
- Bitdefender: Telus Digital data breach confirmed: ShinyHunters claims 1PB theft
- Google Cloud: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
- Wikipedia: ShinyHunters