Telus Digital confirmed it is investigating a cybersecurity incident involving unauthorized access to a limited number of systems after threat actors ShinyHunters claimed a multi-month intrusion and the theft of nearly 1 petabyte of data. Reporting indicates the alleged stolen data includes information tied to Telus’ BPO operations (which can include customer support, billing, and internal tooling for multiple client organizations) and call records associated with Telus’ consumer telecommunications business; Telus stated operations remain fully functional and said it has engaged external forensics support and law enforcement while it determines what data was taken and which customers were affected.
Additional details attributed to ShinyHunters claim the initial access path involved Google Cloud Platform (GCP) credentials that were allegedly found in data previously stolen during the Salesloft/Drift breach, suggesting credential reuse/exposure as a key risk factor. As of the reporting cited, Telus Digital had not yet appeared on the actor’s leak site, and the company had not publicly confirmed the attacker’s identity or the specific data types impacted beyond acknowledging the incident and ongoing investigation.

Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
6 events from the most recent confirmed update back to the earliest known activity.
As the investigation continued, Telus Digital said it had implemented additional security measures following the intrusion. The company maintained that there was no evidence of disruption to customer connectivity or services.
On 2026-03-12, attackers allegedly used a compromised Telus employee workstation to gain access to Crunchyroll systems and exfiltrate about 100 GB of customer data. Reported stolen data included IP addresses, email addresses, credit card details, and other customer analytics information before access was reportedly revoked about 24 hours later.
Telus Digital confirmed unauthorized access affected a limited number of systems and said it was investigating what data was taken and which customers were impacted. The company said operations remained fully operational, engaged forensic experts and law enforcement, and began notifying affected customers as appropriate.
In March 2026, ShinyHunters publicly claimed it had stolen between roughly 700 terabytes and nearly 1 petabyte of data from Telus Digital and related Telus environments. The group alleged the haul included customer datasets, call records and recordings, source code, financial data, Salesforce data, and FBI background check information.
According to reporting, ShinyHunters started demanding $65 million in February in exchange for not leaking allegedly stolen Telus data. Telus was reported not to be negotiating with the group and later rejected the ransom demand.
ShinyHunters claimed the intrusion into Telus Digital began after it found Google Cloud Platform credentials in data from the earlier Salesloft/Drift breach. The actor said it then used credential-hunting tools such as TruffleHog to expand access across Telus systems during a months-long compromise.
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
7 references tracked. Mallory keeps watching after this page renders.
cybersecuritynews.com
Open sourcescworld.com
Open sourceteiss.co.uk
Open sourcebleepingcomputer.com
Open sourcecio.com
Open sourcedatabreaches.net
Open sourcecsoonline.com
Open sourceMap indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.