The ShinyHunters extortion group posted an ultimatum to Hallmark Cards on March 30, 2026, claiming access to 7.9 million Salesforce records containing customer PII and internal corporate data. The threat actors set an April 2 deadline for ransom payment, warning the Kansas City greeting card giant to “make the right decision, don’t be the next headline.”
The alleged breach targets both Hallmark Cards Inc. and the company’s subscription streaming service Hallmark Plus, according to the extortion post. ShinyHunters threatened “several annoying (digital) problems” alongside data publication if demands are not met, suggesting potential operational disruption beyond simple data leakage.
ShinyHunters Campaign Context
This follows ShinyHunters’ documented pattern of targeting Salesforce implementations through the AuraInspector tool and social engineering tactics. The group claimed 40+ breaches in early 2026 including the European Commission, Infinite Campus K-12 platform, and multiple financial services firms. Their Salesforce campaign has exposed hundreds of organizations by exploiting Aura framework misconfigurations and compromised admin credentials.
Potential Impact
If legitimate, the 7.9 million records would likely include Hallmark Plus subscriber information, e-commerce customer data, and internal business intelligence from CRM systems. Hallmark Cards operates retail locations nationwide alongside its direct-to-consumer platforms, creating exposure across multiple customer databases. The company has not issued a public statement regarding the alleged incident.
Verification Status
BreachNews has not independently confirmed the breach claims or verified sample data authenticity. Hallmark customers concerned about potential exposure should monitor accounts for unauthorized activity and be alert for targeted phishing attempts leveraging stolen customer information.
