TELUS Digital has fallen victim to a security incident in which unsanctioned actors accessed its systems.
Upon learning of this incident, the company said it took immediate action to resolve it and prevent any future breaches of its systems and environment. “All business operations within TELUS Digital remain fully operational, and there is no evidence of disruption to customer connectivity or services. As part of our response, we have engaged leading cyber forensics experts to support our investigation, and we are working with law enforcement.”
The notorious cybercrime group ShinyHunters has taken responsibility for the attack and has also claimed that the group has managed to acquire sensitive data sets associated with the outsourcing processes of the company as well as the data associated with the telecommunications calls.
The gang said it has stolen 1 petabyte of data from TELUS, and shared samples of the stolen data with Reuters, which said purloined data included at least two dozen business customers’ PII and call-center recordings.
ShinyHunters told BleepingComputer they breached TELUS using Google Cloud Platform credentials they found in data stolen during the earlier supply chain attack on the Salesloft platform.
In terms of the data stolen, the company said: “TELUS Digital’s investigation into the nature and scope of potentially impacted data is ongoing. TELUS Digital will notify any impacted customers, as appropriate.”
TELUS said it has taken further security measures to strengthen its systems and environment. “As our investigation progresses, we are notifying any impacted customers, as appropriate. The security of our customers’ information continues to be our highest priority.”
The Gift that Keeps on Giving
Denis Calderone, CTO of Suzu Labs, said: “The Salesloft breach really is the gift that keeps on giving. The credentials used to get into Telus Digital trace back to the Salesloft compromise that started in early 2025. Those credentials have been making the rounds ever since, first into Drift’s AWS environment, then into Salesforce instances across 760 organizations, and now into a BPO that holds call recordings and FBI background checks for dozens of companies. Suzu called this the Russian nesting doll back in November when the Gainsight layer surfaced. Telus is just the latest doll, and we doubt this is going to be the last one yet.”
Think about the attack path here, Calderone added: “Stolen cloud credentials from Salesloft got them into Telus’s Google Cloud environment. From there, they ran TruffleHog, a tool our own pentesting team uses regularly for exactly this purpose, to scan for additional credentials embedded in files and logs. They found them, pivoted laterally, and allegedly made off with close to a petabyte of data, including call recordings, support records, FBI background checks, and source code spanning multiple Telus clients. One set of stolen credentials keeps leading to additional access because nobody revoked them and nobody was looking for embedded secrets in their own environment.”
One Compromise, Dozens of Victims
He said Telus is a BPO, so their data isn’t just their data. “It belongs to every client they serve. That’s what makes outsourcer breaches so dangerous: one compromise, dozens of victims.”
Calderone believes ShinyHunters is far from done. “They’re running this campaign, the Salesforce Aura Campaign we commented on last week, and ongoing extortion operations all at the same time. If your organization uses outsourced services or has integrations tied to the Salesloft ecosystem, hunt for exposure now. Audit your cloud credentials, scan for embedded secrets in your own repositories and logs, and assume any credentials tied to a compromised third party are already burned.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.