Stefán Jökull Sigurðarson

Massive day for @Charlotte_Hunt_ and I today as we welcome our first ever *proper* @haveibeenpwned employee: @stebets troyhunt.com/have-i-been-pw…

Today @BleepinComputer published a story on a company named Telus Digital being compromised by a Threat Group operating under the moniker "ShinyHunters', a reference to Pokemon. GTIG (Google Threat Intelligence Group) has been tracking ShinyHunters under the label UNC6395. UNC6395 has been targeting enterprise organizations since at least August, 2025 by exploiting compromised OAuth tokens to gain access to company SalesForce instances. Upon successful compromise, UNC6395 attempts vertical or horizontal movement by combing through the compromised SalesForce data. At a currently unknown time, UNC6395 successfully compromised Telus' SalesForce instance which allowed them to pivot elsewhere within the organization. The amount of data UNC6395 claims to have compromised is astronomical. They claim to have exfiltrated over ONE PETABYTE of data (compressed as .tar.xz). While Telus has confirmed the compromise, the exfiltration of ONE PETABYTE of data indicates the compromise may have occurred weeks, possibly months, ago. Telus as of this writing has not given additional details on the compromise (more on that later). I am unable to confirm the validity of the data, primarily because I do have the means to reliably comb through a petabyte of data. However, "snippets" and "samples" have been shared. Based off data seen, the compromised appears authentic. Here is a high-level overview of what was allegedly compromised and successfully exfiltrated. - Employee Full Legal Name - Employee National ID Number and/or SSN - Telus hashed passwords, API keys, OAuth tokens - Call record details - Call meta data - Telecom customer PII (First Name, Last Name, Address) - HR records - Agent performance records - SalesForce accounts, contacts, leads, and records - Financial records (ACH routing numbers, etc) - GitHub repository access to an additional 20 organizations adjacent to Telus (20,000 internal source code projects) - Customer and Agent call records in .wav - 14,139 customer database instances, all containing customer PII (unspecified) - GLEAN TELUS background check files. UNC6395 has access to FBI, RCMP, and CISA background checks. - GLEAN TELUS confidential reports on investigations - GLEAN TELUS confidential reports on tax filings (?) - ... just search "GLEAN" on Google If what UNC6395 states is true, this breach impacts approx. 230M companies across the globe. Based on information seen publicly, ... it looks bad. However, as of this writing, Telus has not done anything other than confirm the compromise with some journalists. I suspect they're currently performing a DFIR (Digital Forensics and Incident Response) and forming a strategy to combat this technologically, legally, logistically, and PR-wise. Is UNC6395 telling the truth? Is this compromise as severe as it appears to be? When will TELUS provide more details? Will impacted customers be notified? Is law enforcement mad their background checks are allegedly compromised? Find out next time on Dragon Ball Z

Concerned your info may have been stolen in a data breach? We advise you to be alert to suspicious emails, calls, or text messages, and only contact organisations via their official website. Read our guidance on data breaches and what to look out for⬇️ ncsc.gov.uk/guidance/data-…