I want to tell you about a hack. But the hack itself isn’t the interesting part.
On March 12, Telus confirmed that its digital services arm got breached. ShinyHunters, the same group that’s been on a tear through enterprise targets for years, claimed they stole close to a petabyte of data. One petabyte. That’s a thousand terabytes. That’s “we downloaded your entire company and then kept going.”
The stolen data reportedly includes call records, voice recordings, FBI background checks, source code, Salesforce data, and BPO customer information for 28 companies that used Telus Digital for outsourced customer support. BleepingComputer reviewed the list but won’t publish the names because they can’t independently verify who got hit. Smart move. But you can bet the security teams at those 28 companies aren’t sleeping well.
Here’s the thing, though. The breach didn’t start at Telus. It started at Salesforce.
The Drift Door
ShinyHunters got into Telus through credentials they found buried in Salesforce Drift support tickets. Drift, the conversational sales platform that Salesforce acquired, had its own breach earlier. Attackers downloaded customer support data from 760 companies. Inside those support tickets were authentication tokens, API keys, and GCP credentials that customers had pasted into support cases while troubleshooting issues.
Somebody at Telus, at some point, put Google Cloud Platform credentials into a Drift support ticket. Maybe they were asking for help. Maybe they were sharing a config file. Doesn’t matter. ShinyHunters found those credentials, used them to get into Telus’s BigQuery instance, and then ran trufflehog on the data to find more credentials that let them pivot deeper into the environment.
They didn’t break down the front door. They found a spare key in someone else’s junk drawer.
Why This Matters More Than the Usual Breach Story
Every MSP and channel partner reading this has a version of the same problem. You outsource things. Your vendors outsource things. Your customers outsource things. And somewhere in that chain, someone pasted credentials into a support ticket, shared an API key over email, or stored secrets in a Salesforce custom field because it was faster than doing it properly.
The Telus breach is a supply chain security story, and the supply chain in question is trust. Telus Digital is a BPO provider. Their entire business model is handling sensitive operations on behalf of other companies. Customer support calls. Content moderation. AI data labeling. They’re embedded in their clients’ workflows. When Telus gets breached, the blast radius extends to every company that trusted them with data access.
And the entry point wasn’t even at Telus. It was at a third-party tool that Telus happened to use, where someone happened to paste a credential, which happened to get stolen months earlier in a completely separate breach.
If that chain of events doesn’t make you nervous about your own vendor stack, you’re not paying attention.
The Conversation Nobody Wants to Have
I’ve spent enough time in this industry to know how vendor security reviews actually go. You send a questionnaire. They fill it out. You get a SOC 2 report. Maybe you glance at it. Maybe you file it and move on. Everyone checks the box and nobody asks the uncomfortable question: “What happens when your tool vendor’s tool vendor gets hacked?”
The answer, apparently, is someone walks off with a petabyte of your data.
Telus is huge. They have security teams, incident response plans, and Mandiant on retainer. If they can get popped through a daisy chain of breaches, the 50-person MSP running three BPO relationships and a dozen SaaS tools with admin credentials scattered across Slack threads has no chance of catching something like this before it’s too late.
I talked to a channel security consultant last week who put it better than I could: “We audit our clients’ environments but we never audit what their vendors paste into support tickets. And honestly, we wouldn’t even know where to look.”
What You Can Actually Do
I’m not going to pretend there’s a five-step fix for third-party supply chain risk. There isn’t. But a few things are worth doing.
Rotate your credentials. Every API key, every service account, every GCP or AWS token that’s ever been shared in a support ticket. If you can’t remember whether you’ve shared credentials in a vendor support case, assume you have. Rotate them. The partners who take security seriously are the ones who survive stories like this.
Ask harder questions. When you evaluate a BPO or SaaS vendor, don’t just ask about their security posture. Ask about their vendors’ security posture. Ask what tools they use for customer support. Ask where support ticket data is stored and who has access. You won’t get perfect answers, but you’ll learn who takes the question seriously and who fumbles it.
Watch the Telus fallout. ShinyHunters is trying to extort Telus, and Telus isn’t engaging. That means the stolen data could end up dumped publicly. If any of your vendors use Telus Digital for BPO services, you need to be asking them directly whether they’re on the list. Don’t wait for a notification. Be proactive.
The Part That Keeps Me Up
What bothers me most about this story isn’t the size of the breach. It’s the method. Credential harvesting from support tickets is embarrassingly low-tech. No zero-day. No sophisticated malware. Just someone reading through old support cases and finding keys that still worked.
That means this attack vector is repeatable. It’s probably being replicated right now against other companies whose credentials were in those 760 Drift datasets. Telus is the one that made the news. They won’t be the last.
If you’ve ever pasted a password, API key, or config snippet into a vendor support ticket, go change it. Today. Right now.
I’ll be at the bar if you need me.