Abrigo: ShinyHunters Pay or Leak Extortion

Fintech software provider Abrigo was hit by a "pay or leak" extortion campaign run by the ShinyHunters group in April 2026, with stolen data subsequently published when payment was refused. The leak, indexed by Have I Been Pwned, exposed 711,099 unique email addresses sourced from Abrigo's Salesforce instance, affecting both internal staff and external business contacts across the financial institutions Abrigo serves.

What Happened

In April 2026, ShinyHunters targeted Abrigo as part of its ongoing campaign of Salesforce-focused extortion operations. The group demanded payment in exchange for not publishing data it claimed to have exfiltrated from the company's Salesforce tenant. After Abrigo declined to engage with the extortion demand, the threat actors followed through and publicly released the dataset. The dump was subsequently ingested by Have I Been Pwned, formally confirming the scope and authenticity of the compromise. Notably, this incident is distinct from Abrigo's prior 2025 Salesforce exposure tied to the Drift application connector compromise, although the categories of data overlap meaningfully.

What Was Taken

The leaked dataset contains 711,099 unique email addresses tied to records held within Abrigo's Salesforce CRM environment. The records reflect business contact information consistent with what was disclosed in the earlier Drift-related incident: institution name, employee name, email address, and phone number. Both Abrigo employees and external contacts at customer financial institutions appear within the leak. While the data is not credential material or financial account data on its face, it is a high-fidelity targeting list of named individuals at named banking and lending organizations, with verified contact channels.

Why It Matters

Abrigo provides compliance, lending, and risk management software to thousands of community banks and credit unions across the United States. A leaked CRM extract gives adversaries a curated roster of decision makers, compliance officers, and operational contacts at institutions handling regulated financial workflows. This is prime feedstock for downstream business email compromise, vendor impersonation, and targeted phishing aimed at the financial services supply chain. The incident also reinforces a clear pattern: ShinyHunters has industrialized Salesforce tenant compromise as a revenue stream, and SaaS CRM data is now a recurring entry point for extortion economics rather than an afterthought.

The Attack Technique

Public reporting attributes the breach to ShinyHunters' broader Salesforce extortion campaign, which has trended toward social engineering of support and sales personnel to obtain valid Salesforce session tokens or OAuth grants, followed by bulk export of CRM objects using legitimate data loader tooling. The exact initial access vector against Abrigo has not been publicly confirmed, and the company has stated this event is operationally separate from its earlier Drift connector compromise. Whether the new intrusion involved residual access, a fresh voice phishing operation, or a malicious third party OAuth integration remains unverified at the time of reporting.

What Organizations Should Do

Audit all connected applications and OAuth grants in Salesforce, revoking any integration that is unused, unattributed, or over scoped relative to its business purpose.
Enforce phishing resistant MFA on every Salesforce login path, including administrative, API, and integration user accounts, and disable legacy authentication flows.
Apply Salesforce data export and Data Loader restrictions by IP range, profile, and permission set, and alert on bulk API queries that exceed normal record counts.
Treat the leaked dataset as an active targeting list: warn employees and downstream financial institution customers to expect tailored phishing referencing Abrigo branding, product names, and known contacts.
Hunt for ShinyHunters indicators across identity logs, including anomalous user agent strings, residential proxy IPs, and session reuse from unusual geographies on Salesforce, Okta, and similar identity providers.
Review and rehearse a "do not pay" extortion response playbook with legal, communications, and regulators, since publication after refusal is now the predictable end state of these campaigns.

Sources: Abrigo - 711,099 breached accounts - IT Security News