ShinyHunters Breach Amtrak via Salesforce Social Engineering — Up to 9.4 Million Records Compromised

Summary

The prolific cybercrime group ShinyHunters has claimed responsibility for a massive data breach targeting Amtrak, alleging the theft of 9.4 million customer records through unauthorized access to the rail operator’s Salesforce CRM systems. The breach was added to the Have I Been Pwned (HIBP) database on April 17, 2026, confirming at least 2.1 million unique email addresses were exposed alongside names, physical addresses, and customer support ticket data.

Rather than exploiting a technical vulnerability in Salesforce itself, ShinyHunters gained access through social engineering attacks targeting Amtrak employees. The group threatened to release the full dataset publicly if a ransom demand was not met. This breach is part of a broader ShinyHunters campaign targeting organizations that use Salesforce, with other victims in 2026 reportedly including Cisco Systems, Hallmark, Rockstar Games, Mercer Advisors, and Beacon Pointe Advisors.

The discrepancy between the claimed 9.4 million records and the 2.1 million unique emails in HIBP likely reflects duplicate entries and multiple records per individual. Regardless, this represents one of the largest transportation sector breaches in recent memory.

Sources

• CyberNews — Hackers Threaten Amtrak Data Leak
• TechRepublic — Amtrak Data Breach 2.1M Records
• Have I Been Pwned — Amtrak Breach Entry

Commentary

ShinyHunters continues to prove that the biggest attack surface isn’t your software — it’s your people. Gaining access through social engineering rather than a Salesforce zero-day means no amount of platform patching would have prevented this. The fact that they’re running a systematic campaign against Salesforce-dependent organizations suggests they’ve refined a playbook that’s working far too well.

For organizations heavily reliant on CRM platforms, this is a wake-up call about access controls, phishing-resistant MFA for admin accounts, and monitoring for anomalous data export patterns. If someone is bulk-exporting 9.4 million records from your CRM and nobody notices until a threat actor posts about it on a dark web forum, your detection capabilities need serious work.