ShinyHunters has published roughly 260,000 records belonging to US HVAC, refrigeration, and foodservice equipment distributor Baker Distributing Company on its dark web leak site. Cybernews researchers reviewed the dump and confirmed it spans Salesforce CRM exports and SharePoint repositories, exposing employees, clients, sales leads, and 302,000 IT support tickets. The publication suggests ransom negotiations broke down, and the gang has now released checksums and download references indicating the data is either live or imminently available.
What Happened
ShinyHunters listed Baker Distributing Company on its extortion site, alleging a large-scale compromise of internal business systems. The group is one of the most prolific data-theft extortion crews of the past year, and its public listings typically follow failed private negotiations with victims. According to Cybernews, the leak has now moved beyond a threat: a checksum and download reference were posted alongside the listing, signalling the dataset is staged for distribution or already circulating. Baker Distributing has not yet publicly responded; Cybernews has requested comment.
Baker Distributing operates across a broad industrial supply chain in the United States, serving contractors and commercial customers in HVAC, refrigeration, and foodservice equipment. A breach at a distributor of this scale carries downstream implications for thousands of business clients whose contact data and procurement relationships are now embedded in the leaked files.
What Was Taken
Cybernews researchers identified roughly 260,000 records spanning two primary sources, with the majority drawn from SharePoint repositories and a structured Salesforce export.
The SharePoint material includes:
- Employee handbooks
- Internal policy templates
- Health insurance documentation
- Marketing strategy and campaign positioning documents
- E-commerce brochures and client-facing FAQ materials
The Salesforce export is more structured and operationally sensitive. It contains:
- Approximately 1,100 employee records (names, bakerdist.com emails, phone numbers, job roles, departments, account timestamps)
- Approximately 3,400 sales lead records with prospective client contact details and interaction notes
- A contact database of approximately 111,000 client records exposing names, emails, phone numbers, company affiliations, and physical addresses
- Approximately 302,000 IT support tickets containing timestamps, user identities, and detailed descriptions of reported technical issues
The IT ticket cache is particularly notable. Helpdesk descriptions often reveal application names, system architecture, internal hostnames, recurring error patterns, and authentication or VPN issues that map directly to follow-on intrusion paths.
Why It Matters
This incident fits the wider 2025 to 2026 pattern of ShinyHunters and affiliated actors targeting Salesforce tenants and adjacent SaaS environments rather than on-premise infrastructure. The blend of CRM data with SharePoint HR and policy content gives attackers a complete blueprint of the victim's workforce, vendor relationships, and internal procedures, which is precisely what makes downstream phishing and business email compromise so effective.
For Baker Distributing's clients, the exposure of 111,000 contacts plus 3,400 active sales leads creates a high quality targeting list. The bakerdist.com employee directory provides a credible spoofing base, and the IT ticket trove offers attackers an internal vocabulary to impersonate genuine support workflows.
The Attack Technique
The article does not confirm the specific initial access vector. However, ShinyHunters' recent campaigns have heavily relied on OAuth token abuse, vishing operators into authorising malicious connected apps in Salesforce, and credential theft against SaaS admin accounts. The combined Salesforce and SharePoint footprint of the Baker Distributing leak is consistent with identity-layer compromise: a single set of federated or reused credentials, or a compromised connected app, can reach both ecosystems where SSO is in place. Defenders should treat the dual-platform scope as a strong signal of identity provider or SaaS integration abuse rather than endpoint malware.
What Organizations Should Do
- Audit every Salesforce connected app and OAuth grant. Revoke unused, unverified, or unfamiliar integrations and require admin approval for new connected apps.
- Enforce phishing-resistant MFA (FIDO2 or hardware-backed) for all Salesforce, SharePoint, and identity provider administrators, and remove SMS or push-only fallbacks for privileged users.
- Restrict Salesforce data export volumes through transaction security policies, alerting on bulk API queries, large report exports, and anomalous Data Loader activity.
- Treat helpdesk and IT ticketing systems as crown-jewel data. Limit retention, scrub credentials and hostnames from ticket bodies, and segregate access by role.
- Run targeted phishing and vishing simulations referencing Baker Distributing themes for downstream customers and partners, and brief frontline staff on impersonation risks tied to leaked sales lead lists.
- Hunt for indicators of session token theft and unusual OAuth refresh activity across the identity provider, and rotate API keys and integration secrets touching CRM data.
Sources: ShinyHunters leak 260,000 Salesforce records in Baker Distributing attack | Cybernews