In April 2026, the financially motivated extortion group ShinyHunters claimed responsibility for a breach of Amtrak that exposed personal information belonging to more than 2.1 million customers. The leaked dataset, verified by Have I Been Pwned, contains email addresses, full names, physical addresses, and customer support interaction records. The compromise follows ShinyHunters' established pattern of targeting Salesforce tenants, demanding ransom, and publishing the data when payment is refused.

What Happened

ShinyHunters gained access to Amtrak's Salesforce environment and exfiltrated a customer database containing 2.1 million unique records. After an apparent ransom demand went unmet, the group followed through on their extortion threat and publicly released the dataset. Amtrak joins a growing list of major brands impacted by the ongoing ShinyHunters campaign against Salesforce customer instances, which has leveraged social engineering and OAuth token abuse against support and sales staff to pull bulk exports from connected CRM platforms.

What Was Taken

The published dump includes the following categories of personally identifiable information:

Payment card and financial data were not included in the leak, but the combination of name, email, and verified physical address is sufficient fuel for downstream fraud.

Why It Matters

Amtrak is a critical transportation provider, and its customer base spans commuters, business travelers, and government riders across the United States. The leak of verified home addresses tied to real identities raises the stakes well beyond ordinary phishing exposure. Threat actors can use this dataset to craft highly convincing lures impersonating Amtrak refunds, rebooking notices, or loyalty program communications. The incident also reinforces that SaaS platforms like Salesforce are now a preferred chokepoint for data theft extortion, since a single compromised tenant can yield millions of records with minimal footprint on the victim's own infrastructure.

The Attack Technique

ShinyHunters' recent campaign methodology centers on compromising Salesforce CRM instances rather than exploiting the target's perimeter directly. Typical tradecraft involves voice phishing (vishing) of help desk and sales personnel, tricking them into approving malicious connected apps or handing over OAuth tokens that authorize bulk data queries. Once inside, the actors run large-scale exports against standard Salesforce objects such as Contacts, Accounts, and Cases, then stage the data for extortion. This pattern closely mirrors the broader Salesforce tenant compromise wave that has impacted multiple Fortune 500 brands throughout 2025 and into 2026.

What Organizations Should Do

  1. Audit all connected apps and OAuth grants in Salesforce, revoking unused or unrecognized integrations and enforcing admin approval for new connections.
  2. Harden help desk and sales identity verification procedures to defeat vishing, including callback verification and manager approval for MFA resets or app installs.
  3. Enable Salesforce Shield or equivalent monitoring to detect anomalous bulk API queries, large report exports, and off-hours data access patterns.
  4. Restrict the Salesforce Data Loader and bulk API privileges to a narrow, audited set of service accounts with IP allowlisting.
  5. Rotate API credentials and session tokens tied to customer support tooling, and review session logs for suspicious geographies.
  6. Proactively notify affected customers and prepare anti-phishing messaging, since attackers will weaponize the leaked dataset for targeted impersonation of Amtrak communications.

Sources: Amtrak Breach: 2.1M Emails, Names & Addresses Exposed (2026)