ShinyHunters Stole a Petabyte From Telus. Through a Chatbot.

#A chatbot integration led to the theft of nearly 1 petabyte of data.

In March 2026, Canadian telecom giant Telus Digital confirmed that ShinyHunters, one of the most prolific data theft groups in the world, had breached their systems and stolen close to one petabyte of data. The group demanded $65 million to not publish it.

Here's the attack chain, because it's a masterclass in how modern breaches actually work:

1. 2025: Attackers compromised Salesloft's GitHub environment
2. Stole OAuth tokens from Salesloft's Drift chatbot integration
3. Those tokens gave them access to Salesforce data belonging to hundreds of organizations
4. Inside that data, they found Google Cloud Platform credentials tied to Telus Digital
5. They used Trufflehog (an open source credential scanner) to mine the stolen data for more passwords and tokens
6. Each credential opened new doors. They moved laterally through Telus infrastructure over several months
7. Exfiltrated nearly 1 petabyte before detection

Read that again. The entry point was OAuth tokens from a chatbot integration at a company Telus used. Not a vulnerability in Telus's code. Not a phishing email to a Telus employee. A third-party tool's GitHub repo contained tokens that eventually led to Telus's cloud infrastructure.

#What was stolen.

The scope is staggering:

• Customer support records and call center operations
• Voice recordings of support calls
• Agent performance metrics and internal tools
• AI-driven support tooling and fraud detection systems
• Source code
• Financial records
• Salesforce data
• FBI background check results for employees
• Content moderation infrastructure used by client companies

This isn't just a Telus problem. Telus Digital is a business process outsourcer. They handle customer support for other companies. Those other companies' customer data was in this breach too. If your business outsources any operations, your data lives in your vendor's infrastructure, and your vendor's security is your security.

#The OAuth token problem.

The breach started with OAuth tokens from a chatbot integration. OAuth tokens are how services connect to each other without sharing passwords. "Connect Drift to Salesforce." "Connect Slack to Google Drive." "Connect Zapier to everything." Every integration creates tokens that grant access.

Most organizations have dozens of these integrations. Most have no inventory of what tokens exist, what they can access, or when they were last rotated. Most don't revoke tokens when they stop using an integration. The tokens just sit there, waiting.

An attacker who gets one OAuth token can often find more. Because the first token gives access to a system that stores more tokens. That's exactly what happened here. Chatbot tokens led to Salesforce, Salesforce led to GCP credentials, GCP led to everything.

#What to do.

Audit your third-party integrations. Go into every SaaS tool your business uses and look at the connected apps / integrations / OAuth grants. Salesforce, Google Workspace, Microsoft 365, Slack, HubSpot, whatever you use. Remove integrations you don't recognize or no longer need. Each one is an attack surface.

Rotate OAuth tokens regularly. Most integrations let you regenerate tokens. Do it at least annually. If a vendor you use discloses a breach, rotate every token connected to that vendor immediately.

Use a secrets manager for cloud credentials. GCP credentials stored in a Salesforce field is how this breach escalated. Use HashiCorp Vault, Doppler, or your cloud provider's native secrets manager. Never store cloud credentials in another SaaS platform.

Monitor for credential scanning tools. The attackers used Trufflehog against the stolen data to find more credentials. If you see Trufflehog, GitLeaks, or similar tools running in your environment and you didn't initiate a scan, that's a red flag.

Ask your vendors about their security. If you outsource operations (customer support, billing, IT), ask: how do they store your data? What happens if they get breached? Do they have cyber insurance? What's their incident notification timeline? You should know before the breach, not after.

#Further reading

• BleepingComputer: Telus Digital Breach - incident details
• Cybersecurity Dive: ShinyHunters Claims - attack analysis
• Trufflehog - the tool attackers used (also useful defensively to find your own leaked secrets)
• HashiCorp Vault - secrets management
• OWASP: Insufficient OAuth Token Validation - the vulnerability class