ShinyHunters TELUS Breach: 1 Petabyte Stolen, $65M Ransom Demanded

The same tool developers use to prevent secrets from leaking was the weapon ShinyHunters used to steal 1 petabyte of data from TELUS Digital and demand $65 million.

The breach was confirmed on March 12, 2026. ShinyHunters — the group behind the 2021 AT&T breach, the 2022 Twilio attack, and the 2024 Snowflake customer campaign — did not find a zero-day in TELUS's systems. They found credentials inside data they had already stolen from Salesloft, a sales engagement platform, in a 2025 breach. Those credentials gave them access to TELUS's Google Cloud Platform environment. Then they ran trufflehog.

What trufflehog Is and Why This Changes the Story

trufflehog is an open-source secrets-scanning tool maintained by Trufflehog Security. Developers use it to scan codebases, git histories, S3 buckets, and cloud environments for accidentally committed secrets: API keys, database passwords, OAuth tokens, and private keys. It is in every serious DevSecOps pipeline.

ShinyHunters used trufflehog to scan TELUS's cloud environment for additional secrets after gaining initial access. The tool found more credentials. Those credentials opened more systems. Each secret discovered was an entry point into another part of TELUS's infrastructure.

This is called lateral movement through credential cascade. The initial access vector was Salesloft. The amplifier was a tool designed to prevent exactly this outcome. The irony is not lost on security teams who have been recommending trufflehog to their organizations for the past three years.

The Attack Chain, Step by Step

The breach followed a pattern security teams call the supply chain pivot:

Step one: ShinyHunters compromised Salesloft in 2025, stealing a customer data export containing API credentials for multiple enterprise clients.

Step two: Inside the stolen Salesloft data, they found TELUS Digital's Google Cloud Platform service account credentials, left in a shared customer configuration export.

Step three: Using those credentials, they authenticated into TELUS's GCP environment. No phishing required. No zero-day. Just a valid service account token.

Step four: They ran trufflehog against TELUS's cloud storage buckets, code repositories, and environment configurations, surfacing additional credentials for adjacent systems.

Step five: The group exfiltrated data over several weeks before detection, accumulating approximately 1 petabyte of data across multiple TELUS systems.

TELUS Digital is not the end of the chain. It's a business process outsourcing company serving more than two dozen enterprise customers. Each of those customers' operational data was accessible through TELUS's environment.

What Was Stolen

The 1 petabyte figure is large enough that some security analysts initially questioned it. One petabyte is 1,000 terabytes — the kind of volume that accumulates across years of operational data in a large BPO environment.

Confirmed data categories include: FBI background check records for TELUS employees and contractors, internal source code repositories, call-center voice recordings across customer engagements, Salesforce CRM data, and personally identifiable information linked to individuals connected to TELUS's BPO customer companies.

FBI background check records are particularly sensitive. They contain criminal history, employment history, financial records, and in many cases details about foreign contacts — precisely the information useful for targeted follow-on social engineering campaigns against individuals with security clearances or sensitive roles.

The $65 million ransom demand was communicated through ShinyHunters' known channels. TELUS Digital has not confirmed whether it paid. Based on past ShinyHunters operations, organizations that declined to negotiate have had their data published on breach forums.

Who ShinyHunters Actually Is

ShinyHunters is a financially motivated criminal organization operating since 2020. The group is not nation-state affiliated. Its confirmed operations include the 2021 AT&T breach affecting 70 million customers, the 2022 Twilio attack that cascaded into Signal and DoorDash user data, and most significantly the 2024 Snowflake customer attack campaign.

The Snowflake campaign is the closest precedent to the TELUS breach. ShinyHunters found that Snowflake customers were storing credentials in shared configuration files accessible through the Snowflake environment. They used those credentials to breach Ticketmaster (560 million records), Santander Bank, and dozens of other organizations. The entry point was not Snowflake's systems — it was credentials left inside Snowflake by customers. The same logic applies to TELUS: the entry point was credentials left inside Salesloft by TELUS.

ShinyHunters members have been indicted in multiple jurisdictions. French authorities convicted one member in 2024. US authorities have issued indictments but have not arrested the core operating group. The operation continues.

The BPO Risk Model

Business process outsourcing companies are uniquely dangerous breach targets because they aggregate sensitive data from multiple enterprise customers into a single environment.

TELUS Digital operates customer service centers, back-office processing, and data operations for enterprises across healthcare, financial services, and telecommunications. When an attacker compromises TELUS Digital, they do not get one company's data. They get the operational data of every enterprise that outsourced processes to TELUS simultaneously.

This is the same structural problem that made the 2023 MOVEit breach so damaging. Progress Software's file transfer product was used by hospitals, banks, pension funds, and government agencies. Compromising the vendor gave attackers simultaneous access to hundreds of organizations, each of which had audited their own environment but not their shared vendor's.

The BPO model creates a structural amplification problem that vendor security questionnaires do not solve. A vendor can pass a SOC 2 audit and still store credentials in a configuration file accessible to another vendor.

What Developers Must Audit Right Now

Three checks are urgent if you manage cloud infrastructure or work in an organization that uses third-party vendors.

First, rotate any credentials that exist in environments shared with third parties. If a vendor has API keys to your cloud environment, scope them to minimum necessary permissions and rotate them on a defined schedule. Treat vendor-accessible credentials as higher risk than internal credentials.

Second, run trufflehog or equivalent against your full git history, not just your current codebase. Secrets committed in 2019 and deleted in a subsequent commit still exist in git history and are visible to anyone with repository read access. Run this audit against every repository that has ever been shared with a third party.

Third, audit your vendor access list. For each vendor with access to your systems or data: what credentials did you provide, are those credentials still active, what data scope do they have access to, and when was that access last reviewed?

The TELUS breach was not a sophisticated attack. It was credential reuse across a supply chain, detected weeks after the fact. That's a problem that process and hygiene address — not a problem that requires advanced security tooling you don't already have.

Key Takeaways

• ShinyHunters stole 1 petabyte from TELUS Digital, confirmed March 12, 2026, with a $65 million ransom demand
• The attack required no zero-day: credentials found inside previously stolen Salesloft data opened TELUS's Google Cloud Platform environment
• trufflehog was used offensively to scan TELUS's cloud for additional secrets after initial access — the same tool developers use to prevent exactly this
• Data stolen includes FBI background check records, source code, voice recordings, Salesforce data, and PII for 24+ BPO customer companies
• ShinyHunters is the same group behind the 2024 Snowflake campaign (Ticketmaster 560M records, Santander) and 2021 AT&T breach (70M customers)
• BPO vendors amplify breach impact: one vendor compromise exposes all enterprise customers simultaneously, bypassing each organization's individual security controls
• Immediate developer actions: rotate vendor-accessible credentials, scan complete git history with trufflehog, audit every third-party vendor's current access scope