Security March 16, 2026

[Deep Dive] Telus Digital 1PB Data Breach: The GCP Credential Pivot

Dillip Chowdary

Dillip Chowdary

10 min read • Technical Analysis

In what is being called the largest data exfiltration event of 2026, the ShinyHunters threat group has claimed credit for stealing 1 Petabyte (PB) of data from Telus Digital. The breach exposes a fundamental flaw in legacy cloud identity management.

The Attack Vector: Stolen GCP Keys

Preliminary investigations by **Mandiant** suggest that the attackers did not "hack" their way into Telus's production environment. Instead, they used legitimate administrative credentials for **Google Cloud Platform (GCP)** that were likely harvested from a misconfigured DevOps repository during a separate breach in 2025.

Once inside the GCP console, the attackers utilized a "Service Account Pivot" to escalate privileges. By impersonating a high-level data migration agent, they were able to initiate massive parallel read requests on **Google Cloud Storage (GCS)** buckets, bypassing traditional rate-limiting alerts designed for human user patterns.

1PB Exfiltration: How Did They Hide the Traffic?

Moving 1PB of data without triggering network bandwidth alarms is a massive engineering feat. The attackers reportedly used a **Direct-to-Cloud (D2C)** transfer technique. Instead of routing the data through Telus's corporate network, they used the administrative console to "sync" the buckets directly to an attacker-controlled GCP project in a different region.

This effectively turned Google's own high-speed backbone against the victim. The data was moved internally within Google's infrastructure, which often carries different alerting thresholds than egress traffic to the open internet.

Breach Statistics (Estimated)

  • - Total Data Stolen: 1.02 Petabytes
  • - Impacted Entities: 76,000+ Business Customers
  • - PII Exposure: Names, Addresses, Device IMEI numbers, and Service Logs
  • - Dwell Time: 14 Days (Inference suggests periodic syncing)

The Fallout: AI Training Data at Risk

Critically, the stolen dataset is rumored to include **Telus's proprietary AI training data**—large-scale interaction logs used to fine-tune their customer service agents. In the wrong hands, this data provides a perfect blueprint for crafting highly targeted **prompt injection** attacks against Telus's production AI systems.

Telus has reportedly disabled all compromised service accounts and is in the process of rotating its entire GCP credential set. However, for many customers, the damage is already done as the data has surfaced on several underground forums for sale at an initial price of $500,000.