Ameriprise Financial has been confirmed as the latest victim in ShinyHunters' ongoing "pay or leak" extortion spree, with the threat actor publishing more than 200GB of compressed data after negotiations broke down. Breach notification service Have I Been Pwned (HIBP) added the incident on May 26, 2026, indexing 502,600 affected accounts, while Ameriprise's own regulatory disclosure puts the count of directly affected individuals at 47,876.
What Happened
The intrusion occurred on March 3, 2026, and was discovered by Ameriprise on March 18, according to the firm's regulatory filing. ShinyHunters claims to have exfiltrated data directly from Ameriprise's Salesforce environment and internal SharePoint infrastructure, then attempted to extort the financial services firm. When the company refused to pay, the group released the full dataset publicly. HIBP ingested the leak and confirmed 500,000 unique email addresses contained within the dump, prompting broad notifications to its subscribers.
What Was Taken
The leaked archive totals more than 200GB compressed and includes both customer records and internal staff contacts pulled from Ameriprise's broader operational systems. HIBP categorized the exposed data as:
- Email addresses
- Names
- Phone numbers
- Physical addresses
- Employers and job titles
- Financial transactions
The combination of financial transaction history with full identity and employer context represents a high-value intelligence package, well beyond a typical credential dump.
Why It Matters
Ameriprise is a major U.S. wealth management and financial advisory firm, meaning the exposed records likely include high-net-worth clients and the advisors who serve them. Financial transaction metadata paired with employer and job title fields gives adversaries a near-complete profile for targeted fraud, account takeover, and executive impersonation. The discrepancy between the 47,876 individuals named in the regulatory filing and the 502,600 accounts listed in HIBP also illustrates how breach scope reported to regulators frequently understates the operational blast radius once internal contacts and partner records are counted.
The Attack Technique
ShinyHunters' claimed access path, direct exfiltration from Salesforce and SharePoint, aligns with the group's broader 2026 campaign pattern of abusing SaaS-resident data stores rather than breaching on-premises perimeters. Recent ShinyHunters disclosures this month include intrusions at 7-Eleven (185,000 accounts), Woflow (448,000 accounts), and Vimeo (nearly 120,000 accounts), with similar tradecraft reported in each. The consistent targeting of Salesforce tenancies suggests credential theft, OAuth token abuse, or compromised connected apps as likely initial access vectors, followed by bulk API-driven export.
What Organizations Should Do
- Audit Salesforce connected apps and OAuth grants, revoking any unused or unsanctioned integrations and enforcing IP restrictions on API access.
- Enable and tune Salesforce Shield Event Monitoring or equivalent SaaS DLP to alert on anomalous bulk export and report-running activity.
- Enforce phishing-resistant MFA (FIDO2/WebAuthn) for all Salesforce, SharePoint, and Microsoft 365 administrative accounts, not just privileged tier-0.
- Implement conditional access policies that require managed-device posture for downloading SharePoint document libraries at scale.
- Hunt for ShinyHunters-associated indicators including suspicious data loader user agents, unusual ListView or Bulk API calls, and exfiltration to known anonymizing infrastructure.
- Notify and educate affected clients and staff about elevated risk of targeted financial-themed phishing, vishing, and identity-verification fraud following this leak.
Sources: Ameriprise Financial Data Breach: ShinyHunters Leaks 200GB - TechNadu