Kemper Corporation, one of the largest insurance providers in the United States, has been added to the ShinyHunters dark web leak site after ransom negotiations reportedly collapsed. The threat actor claims to have dumped over 13 million records and at least 29 GB of data allegedly exfiltrated from the insurer's Salesforce environment. Cybernews was first to report the listing, which went live late on April 15th, 2026.

What Happened

ShinyHunters posted Kemper Corporation to its extortion blog in the late hours of April 15th after several days of public threats against the insurer. According to the group, the listing was triggered by Kemper's refusal to meet ransom demands during private negotiations. The Cybernews research team is actively reviewing the initial sample published alongside the listing to confirm authenticity. Kemper has not yet publicly commented on the alleged intrusion, and incident response efforts, if underway, have not been disclosed.

The listing is part of a much broader ShinyHunters campaign currently affecting hundreds of organizations worldwide, all tied to compromises of corporate Salesforce tenants.

What Was Taken

The threat actor claims to possess more than 13 million records totaling roughly 29 GB, pulled directly from Kemper's Salesforce instance. Based on prior victims in the same campaign, the exposed data likely includes:

Given Kemper's footprint (roughly $5 billion in annual revenue and approximately 10,000 employees), the exposed dataset likely spans both retail policyholders and commercial lines customers.

Why It Matters

Insurance carriers hold some of the richest personal and financial datasets of any industry, making them prime targets for identity theft, fraud, and downstream social engineering. A leak of this magnitude from a Fortune 500-tier insurer creates a long tail of risk: phishing lures targeting Kemper customers, account takeover attempts against related financial services, and secondary intrusions against business partners whose contact data lives inside the exposed CRM records.

It also validates that ShinyHunters' Salesforce campaign continues to produce high-impact victims months after the initial wave was disclosed, signaling that detection and response gaps in SaaS environments remain widespread.

The Attack Technique

Kemper's breach fits the established ShinyHunters Salesforce playbook observed throughout this campaign. The group uses voice phishing (vishing) and other social engineering techniques to trick employees, frequently help desk or sales operations staff, into surrendering Salesforce credentials or approving malicious connected apps. Once inside the tenant, the attackers abuse legitimate data export functionality, often via the Salesforce Data Loader or malicious OAuth-authorized applications, to pull large volumes of CRM records at speed.

The technique bypasses most endpoint controls because the activity originates inside a sanctioned SaaS platform and uses valid credentials, making detection dependent on SaaS-native monitoring.

What Organizations Should Do

  1. Enforce phishing-resistant MFA (FIDO2 or hardware tokens) on all Salesforce and federated identity accounts, especially for privileged and support personas.
  2. Audit all connected OAuth applications in Salesforce and revoke any that are unrecognized, unused, or overly permissioned.
  3. Restrict and monitor bulk data exports: alert on large Data Loader jobs, unusual API query volumes, and off-hours report downloads.
  4. Retrain help desk and sales operations staff on vishing scenarios, and require out-of-band verification for any credential or MFA reset request.
  5. Apply IP allowlisting and login hour restrictions to sensitive Salesforce profiles to reduce the window of credential abuse.
  6. Pre-stage customer notification, call center scripts, and credit monitoring vendor contracts so incident response timelines are not delayed by procurement.

Sources: Over 13M Kemper Corporation records leaked on the dark web, hackers claim