Fluke Corporation, one of the largest US manufacturers of electronic test and measurement equipment, has been named as a victim on the extortion channels of the ShinyHunters group. According to claims posted July 1, 2026, the actor exfiltrated more than 21 million Salesforce records, a dataset exceeding 100GB that reportedly contains personally identifiable information. The listing states that Fluke declined to pay despite repeated offers, a signal that stolen data may be published or sold. The claims are unverified and Fluke has not issued a public statement at the time of writing.
What Happened
ShinyHunters, a data-extortion crew known for large-scale theft rather than traditional file-encrypting ransomware, added Fluke Corporation to its victim list on July 1, 2026. The group asserts it holds over 21 million records pulled from Fluke's Salesforce environment, totaling more than 100GB. The posting emphasizes that the actor extended "significant patience, multiple chances, and offers" before publicizing the breach, and that the company "failed to reach an agreement." That framing is consistent with ShinyHunters' standard playbook: quiet exfiltration, private extortion, then public naming to apply pressure. A dataset was referenced with SHA256 hash 6ee9bd06756efceb56e5c56fd4e8ab3a8006b9cb80e7c0b4405ed15b996c05fe, and the listing was updated July 2, 2026.
What Was Taken
The actor claims to have compromised over 21 million Salesforce records. The stated volume is 100GB or more, and the group indicates the trove includes "some PII." Salesforce environments typically hold customer relationship data such as contact names, business and personal email addresses, phone numbers, account histories, support cases, and commercial terms. For a test-and-measurement supplier serving industrial, laboratory, utility, and government customers, that record set can expose downstream client relationships and procurement details in addition to individual contact PII. The exact fields have not been independently confirmed.
Why It Matters
Fluke sits deep in the supply chain for calibration, electrical, and industrial diagnostics work, which makes its customer roster valuable to attackers well beyond the company itself. A CRM breach at this scale hands adversaries a curated map of buyers, contacts, and purchasing patterns that is ideal fuel for targeted phishing, business email compromise, and vendor-impersonation fraud against Fluke's clients. The incident also fits a broader 2025 to 2026 wave in which ShinyHunters and affiliated actors have systematically targeted Salesforce tenants, frequently through compromised OAuth tokens and connected third-party apps rather than by breaching a company's core network. When the extortion fails, as it reportedly has here, the data commonly surfaces on leak forums, extending the exposure window indefinitely.
The Attack Technique
The listing does not specify an initial access vector, and no intrusion method has been confirmed. However, the campaign pattern is instructive. ShinyHunters-linked Salesforce compromises through this period have repeatedly leveraged social engineering of support and sales staff, malicious or over-permissioned connected apps, stolen OAuth refresh tokens, and voice-phishing to trick employees into authorizing rogue data-loader tools. Once a valid session or API token is obtained, mass export of records is fast and often invisible to controls tuned only for network intrusions. Treat the Salesforce integration and identity layer as the likely pivot point rather than assuming a perimeter breach.
What Organizations Should Do
- Audit all Salesforce connected apps and OAuth grants, and revoke any tokens or integrations that are unrecognized, dormant, or over-permissioned.
- Enforce phishing-resistant multi-factor authentication on all Salesforce and identity-provider accounts, and require step-up verification for bulk data export operations.
- Enable and monitor Salesforce Event Monitoring and Shield for anomalous API usage, large record exports, and logins from unusual geographies or clients.
- Apply least-privilege access and IP restrictions so that only sanctioned services and users can run data-loader or reporting exports.
- Brief customer-facing staff and Fluke's downstream clients on the elevated risk of phishing and vendor-impersonation using stolen contact data, and pre-stage takedown and notification workflows.
- Watch leak forums and threat-intel feeds for the referenced dataset, and validate any claimed sample against the published SHA256 before acting on it.
Sources: Ransom! Fluke Corporation (JUL-2026)