The threat actor ShinyHunters has claimed responsibility for a major data exfiltration targeting BCD Travel in the Netherlands, one of the world's largest corporate travel management providers. According to claims circulating through cybersecurity monitoring channels, more than 700,000 Salesforce records and internal SharePoint data may have been compromised, with a pay-or-leak deadline reportedly set for 1 June 2026. The incident is part of a broader wave of European extortion activity that also includes a parallel claim by ChimeraZ involving 100,000 invoices tied to French real estate platforms Figaro Immobilier and Explorimmo.
What Happened
ShinyHunters surfaced the BCD Travel claim through cybercriminal channels alongside an ultimatum demanding payment by 1 June 2026 or the dataset will be released publicly. The actor alleges unauthorized access to BCD Travel's Salesforce and SharePoint environments in the Netherlands, indicating a deep infiltration rather than a surface-level intrusion. Whether negotiation is occurring privately remains unknown, but the structured ultimatum mirrors the group's well-documented extortion playbook used against numerous Salesforce-hosted enterprise tenants in recent months.
Running in parallel, a second actor identified as ChimeraZ has claimed the leak of 100,000 invoices from French real estate platforms Figaro Immobilier and Explorimmo. The close timing of these claims points either to coordinated activity inside the same threat ecosystem or to opportunistic escalation across vulnerable European corporate systems.
What Was Taken
The BCD Travel claim references more than 700,000 records exfiltrated from Salesforce, alongside internal SharePoint content. Corporate travel systems typically hold:
- Travel itineraries tied to named executives and employees
- Passport and identity details used for booking
- Billing records, payment instruments, and corporate card data
- Internal communications and enterprise agreements
- Vendor and supplier relationship data
The ChimeraZ disclosure focuses on invoice data, which typically includes buyer identities, vendor relationships, tax identifiers, and financial transaction metadata. Even partial exposure of either dataset is sufficient to enable downstream fraud, identity reconstruction, and corporate espionage.
Why It Matters
Corporate travel platforms sit at the intersection of finance, logistics, and personal employee data, making them disproportionately valuable to extortion crews and intelligence-driven actors alike. Travel records reveal executive movements, meeting cadences, and supplier engagements that can be weaponized for targeted social engineering, business email compromise, and even physical surveillance of high-value individuals.
The reported scope, 700,000 records, suggests the actor enumerated a substantial portion of BCD's tenant data rather than skimming a single object. For BCD's multinational client base, this would mean exposure radiates outward to every enterprise that routes travel through the platform. The simultaneous French real estate disclosure reinforces that European corporate tenants of SaaS platforms remain a sustained, high-priority target through mid 2026.
The Attack Technique
ShinyHunters has spent the past year operationalizing access to Salesforce tenants through social engineering of help desks, OAuth abuse, and credential reuse against connected applications. While the specific intrusion vector against BCD Travel has not been disclosed, the involvement of both Salesforce and SharePoint suggests either a federated identity compromise or the use of stolen session tokens that granted access to multiple SaaS surfaces from a single foothold.
The pattern of claiming a fixed pay-or-leak window, in this case 1 June 2026, is consistent with the group's data theft and extortion model rather than ransomware deployment. There is no indication of file encryption; the leverage is exposure alone.
What Organizations Should Do
- Audit Salesforce and SharePoint tenants for anomalous connected apps, OAuth grants, and high-volume API queries against accounts, contacts, and opportunities objects over the past 90 days.
- Enforce phishing-resistant MFA on all administrative and integration accounts, and remove legacy authentication paths that bypass conditional access.
- Harden help desk identity verification procedures against voice and chat-based social engineering, including out-of-band callbacks for password and MFA resets.
- Rotate API keys, refresh tokens, and service account credentials tied to Salesforce and Microsoft 365 integrations if unusual usage patterns are observed.
- Apply data loss prevention controls and download throttling on Salesforce reports and SharePoint document libraries containing identity, travel, or billing data.
- Brief executives and frequent travelers on heightened phishing, smishing, and impersonation risk tied to their itineraries, and pre-stage incident communications in case the BCD dataset is published after 1 June 2026.