When TELUS Digital confirmed a cyberattack on March 12, 2026, the headline was about scale: nearly one petabyte of stolen data, a $65 million ransom demand, and one of Canada’s largest telecoms facing a months-long silent intrusion. But the detail security teams should focus on is how the attack started. The ShinyHunters group did not hack TELUS directly. They used credentials stolen from a completely different company to walk through the front door. Supply chain credential theft is the thread running through this breach, and it deserves a direct place in every organization’s security awareness training.
How ShinyHunters Used a Vendor Breach to Unlock TELUS
The attack chain began at Salesloft, a sales engagement platform used by TELUS and thousands of other organizations worldwide. When Salesloft suffered its own breach, valid Google Cloud Platform credentials belonging to TELUS were among the data exposed. ShinyHunters acquired those credentials and used them to authenticate against TELUS infrastructure as if they were legitimate users.
From there, the group moved laterally through TELUS systems over a period of months, accessing customer support recordings, source code, voice recordings, Salesforce data, and employee records that included FBI background check results. There was no brute-force attack and no exotic zero-day exploit. The attackers had a valid key, and they used it patiently. If your staff have not yet checked whether their credentials appear in known breach databases, this case makes a compelling argument for doing it today.
Why Supply Chain Credential Theft Stays Hidden
Most security awareness programs focus on direct threats: a phishing email arrives in an employee’s inbox, a suspicious link surfaces in a chat message, a caller claims to be IT support. These remain important training topics. But supply chain credential theft operates at a layer most employees never think about.
When your organization uses a SaaS tool, that tool often holds tokens, API keys, or login credentials that grant access to other systems. If the vendor is breached, those credentials can be extracted and reused against your infrastructure. The victim organization did not click anything, did not respond to a phishing email, and did nothing obviously wrong. The exposure came entirely from trusting a third party that failed to protect shared access credentials.
According to the Verizon 2025 Data Breach Investigations Report, credential misuse was a factor in nearly a third of all analyzed breaches. A meaningful share of those credentials were originally exposed through third-party incidents rather than direct attacks on the victim. The risk is structural as much as behavioral, which is precisely why a security awareness training program needs to address vendor credential exposure as a distinct topic rather than treating all credential risk as a phishing problem.
What Your Team Actually Needs to Know
The practical question after any supply chain breach is: which of our vendors hold credentials or tokens that access our core systems? Most employees have no idea. They use tools daily without knowing that those tools authenticate to corporate infrastructure behind the scenes. Closing that knowledge gap does not require technical expertise; it requires awareness.
Training that covers vendor risk should help employees understand a few key ideas. First, credentials extend well beyond usernames and passwords. API tokens, OAuth connections, and service accounts all carry access privileges that can be abused if exposed in a third-party breach. Second, when a vendor announces a breach, that announcement should trigger an internal review, not just a passive read in a news feed. Third, employees in IT and procurement who evaluate and onboard SaaS tools play a specific role in this risk chain and benefit from targeted guidance on what security questions to ask before signing a contract.
The dwell time in the TELUS case is also worth noting. The attackers had legitimate credentials, so their activity looked normal to standard monitoring tools. Reducing dwell time requires employees who report anomalies even when they cannot fully articulate why something feels off. Reporting culture is a training outcome, not just a technology configuration.
Three Steps Worth Taking This Week
If the TELUS breach is prompting a review of your own exposure, here is where to start. Begin by checking whether credentials associated with your domain appear in known breach data using a purpose-built tool. Next, audit which third-party platforms authenticate to your cloud or productivity infrastructure and verify those vendors hold current security certifications. Finally, consider booking a security readiness assessment to understand how well your team currently recognizes supply chain risk scenarios compared to the direct-attack threats they practice most.
The TELUS Digital breach is not a story about an exotic technique. It is a story about patience, credential reuse, and an attack surface most organizations have not yet trained their people to recognize. The ShinyHunters group did not need to be creative. They needed credentials that had already been stolen elsewhere, and they found them. Building a workforce that understands how that chain works is one of the more concrete investments in resilience any Canadian organization can make right now.
Sources
- The Register: Outsourcer Telus admits to attack, possibly by ShinyHunters
- HackRead: ShinyHunters Claims 1 Petabyte Data Breach at Telus Digital
- Cybersecurity Dive: Telus Digital confirms hack as ShinyHunters claims credit
- DataBreaches.net: Telus Digital confirms breach after ShinyHunters claims 1 petabyte data theft
- The Globe and Mail: Telus investigating hack of its digital services arm
- Verizon: 2025 Data Breach Investigations Report
