The Canada Life Assurance Company, one of Canada's largest insurers, has been named on ShinyHunters' extortion portal following a claimed intrusion that exposed more than 5.6 million Salesforce records containing personally identifiable information. The listing, discovered on 19 April 2026, gives the insurer a hard deadline of 21 April 2026 to pay or face a full data leak alongside threatened "digital problems."

What Happened

ShinyHunters added canadalife.com to its leak site with a "FINAL WARNING: PAY OR LEAK" status, indicating negotiations have either failed or never began in earnest. The threat group claims initial access on 18 April 2026, with the incident surfacing publicly less than 24 hours later. The posting cites a Salesforce environment as the compromised asset, aligning with a broader ShinyHunters campaign targeting Salesforce tenants across financial services, retail, and hospitality verticals throughout 2025 and 2026.

What Was Taken

According to the threat actor's own claims, the stolen dataset contains over 5.6 million records pulled from the insurer's Salesforce instance. Given Canada Life's product footprint spanning life insurance, disability, group benefits, wealth management, and annuities, the compromised PII likely includes customer names, contact details, dates of birth, policy identifiers, beneficiary information, and potentially health or financial attributes tied to underwriting and claims workflows. For an insurance customer base, even the metadata carries sensitivity that enables long-tail fraud.

Why It Matters

Canada Life serves millions of Canadians and group-plan members across North America and the United Kingdom. A confirmed breach of this scale would rank among the most significant Canadian financial-sector incidents on record and triggers mandatory reporting under PIPEDA and OSFI's B-13 technology and cyber risk guideline. Beyond regulatory exposure, insurance records are uniquely dangerous in criminal hands: they combine identity, health, and financial data that fuels synthetic identity fraud, policy hijacking, and targeted social engineering against beneficiaries.

The Attack Technique

ShinyHunters' 2025 and 2026 operations against Salesforce tenants have consistently leveraged OAuth abuse and voice-phishing of help-desk and sales operations staff to convince targets to approve malicious connected apps or reset MFA on privileged Salesforce accounts. Once inside, the group uses the Salesforce Data Loader or Bulk API to exfiltrate entire objects at scale before pivoting to extortion. While Canada Life has not confirmed the intrusion vector, the Salesforce-specific framing of this listing is consistent with that established tradecraft.

What Organizations Should Do

1. Audit all Salesforce connected apps and revoke any OAuth tokens not tied to an approved, inventoried integration.
2. Enforce phishing-resistant MFA (FIDO2 or certificate-based) on all Salesforce administrator and integration-user accounts, and block legacy SMS or TOTP fallbacks.
3. Restrict Data Loader, Bulk API, and Report Export permissions to a narrow, named set of service accounts with IP allowlisting and session-timeout policies.
4. Train help-desk and sales-operations staff specifically on voice-based social engineering pretexts used to reset MFA or approve connected apps.
5. Deploy Salesforce Shield Event Monitoring and forward logs to your SIEM with alerts on anomalous bulk exports, new connected-app approvals, and off-hours admin activity.
6. Rehearse a SaaS breach response playbook that covers customer notification, regulator engagement (OPC, OSFI), and credential rotation across all federated services.

Sources: Ransomware Group shinyhunters Hits: The Canada Life Assurance Company (canadalife.com)