ShinyHunters posted 5 new victims to its leak site on April 11, 2026, all carrying an April 14 ransom deadline and identical pay-or-leak language. The targets are Amtrak, McGraw Hill, Kemper Corporation, Mytheresa, and Abrigo, representing the latest public-facing extortion demands from a Salesforce data theft campaign that has been running since September 2025 and has claimed between 300 and 400 organizations to date. That deadline arrives today. None of the organizations named had issued any public statement at time of publication.
The April 11 listings coincide with ShinyHunters’ confirmed breach of Rockstar Games, which the company acknowledged on April 11 and attributed to a separate third-party breach involving Anodot, a cloud monitoring platform. The Rockstar listing is distinct from the Salesforce campaign. The other 5 victims reference Salesforce records exclusively, and no specific entry point has been confirmed for them beyond that.
The Victims and What Was Allegedly Taken
Amtrak (National Railroad Passenger Corporation) — ShinyHunters claims to have exfiltrated more than 9.4 million Salesforce records from the U.S. national passenger rail operator, allegedly containing PII and internal corporate data. Amtrak serves millions of passengers annually across the continental United States and is classified as critical transportation infrastructure.
McGraw Hill — The education publishing giant faces the largest claimed record count in this wave at more than 45 million Salesforce records allegedly containing PII. McGraw Hill serves students, educators, and institutions across higher education and K-12 markets globally through its MHEducation platform.
Kemper Corporation — ShinyHunters claims more than 13 million Salesforce records containing PII and internal corporate data were exfiltrated from the insurance and financial services company. Kemper provides auto, home, and life insurance products to millions of customers across the United States.
Mytheresa — The Munich-based luxury fashion e-commerce platform is listed with a claim of sensitive customer PII and transactional history data, though no record count was specified. Mytheresa serves a high net worth international customer base, making its transactional records particularly attractive for fraud and identity theft.
Abrigo — ShinyHunters claims more than 1.7 million Salesforce records from Abrigo, a software provider serving community banks and credit unions across the United States with compliance, lending, and financial crime detection tools. A breach of Abrigo’s customer data carries downstream risk for the financial institutions it serves.
An Ongoing Campaign Since September 2025
The April 11 listings are not an isolated event. ShinyHunters’ Salesforce campaign has been active since at least September 2025, exploiting misconfigured Salesforce Experience Cloud guest user permissions to extract data at scale. The group weaponized AuraInspector, an open-source scanning tool released by Mandiant in January 2026 to help administrators detect misconfigurations, modifying it to automate mass scanning and bulk data extraction across vulnerable Salesforce environments. Salesforce has repeatedly stated the issue is not a platform vulnerability but a customer configuration problem, specifically guest user profiles granted overly broad permissions that allow unauthenticated access to CRM data.
The campaign only became public in March 2026 when Salesforce issued a formal advisory and ShinyHunters posted about the operation on its leak site. By that point the group claimed to have breached between 300 and 400 organizations, including approximately 100 high profile companies. Prior named victims across the broader campaign include Google, Cisco, Adidas, Qantas, Chanel, LVMH subsidiaries including Louis Vuitton and Dior, Grubhub, Panera Bread, LexisNexis, and Hallmark Cards. The April 11 wave adds 5 more organizations to that list.
Deadline Day
The April 14 deadline set across all 5 listings arrives today. ShinyHunters told the BBC that ransom demands from at least one victim — Rockstar — had not been met as of April 13, and the group stated its intent to publish stolen data. Whether any of the 5 organizations listed here have paid or reached an agreement with the group is not known at time of publication. Law enforcement agencies consistently advise against paying ransoms, noting that payment neither guarantees data deletion nor prevents future attacks. ShinyHunters’ own history includes cases where data was published regardless of whether a ransom was paid. BreachNews will update this article if data is published or if any of the named organizations issue a public response.
For a full profile of ShinyHunters and their documented history, see our ShinyHunters threat actor page.
