The AI-driven merchant data platform Woflow has been confirmed as the latest victim of the ShinyHunters extortion crew, with Have I Been Pwned (HIBP) ingesting 447,600 compromised accounts on May 7, 2026. The leaked dataset, drawn from a March 2026 intrusion, exposes email addresses, names, phone numbers, and physical addresses tied not only to Woflow's direct customers but also to the downstream customers of merchants using the platform.

What Happened

ShinyHunters claimed Woflow on its dark web leak site in early March 2026, publishing tens of thousands of files totaling more than 2 TB of allegedly exfiltrated data. Woflow operates as a third-party SaaS provider serving high-profile merchant clients including Uber, DoorDash, and Walmart, meaning the breach blast radius extends well beyond Woflow's own user base. On May 7, 2026, HIBP loaded 447,600 unique accounts from the leak into its breach notification service, formalizing public exposure for affected individuals.

What Was Taken

HIBP confirmed the loaded dataset contains email addresses, names, phone numbers, and physical addresses for the 447,600 affected accounts. A proposed class action lawsuit filed on March 13, 2026 alleged a broader scope of compromise, claiming the underlying intrusion exposed full names, addresses, Social Security numbers, driver's license numbers, financial account information, and payment card details. The full 2 TB trove published by ShinyHunters likely contains material beyond what HIBP indexed, since HIBP is scoped to identity and credential records rather than corporate documents or merchant-side data.

Why It Matters

Woflow sits in a supply chain position that converts a single intrusion into an industry-wide data spill. Because the platform aggregates merchant and consumer data on behalf of major delivery and retail brands, downstream customers of Uber, DoorDash, and Walmart merchants are now exposed to phishing, smishing, and physical-address-driven social engineering without ever having interacted with Woflow directly. The combination of name, email, phone, and physical address is high-quality input for targeted fraud, account takeover pretexting, and package interception scams. The dismissed class action also signals that legal accountability for SaaS aggregators in this tier remains unsettled, even as breach volume grows.

The Attack Technique

Woflow has not publicly disclosed the initial access vector. The dismissed class action complaint speculated about email-borne ransomware and inadequate employee training, but those allegations were not substantiated and the suit was thrown out. ShinyHunters' recent campaign pattern, which has produced claimed breaches against Vimeo, Udemy, Rockstar Games, and Hallmark in the same window, has typically leaned on stolen OAuth tokens, exposed cloud storage, and credential reuse against SaaS tenants rather than ransomware deployment. Until Woflow issues a technical post-mortem, the entry point remains unconfirmed.

What Organizations Should Do

• Inventory third-party exposure to Woflow, including any merchant integrations that pass consumer PII through the platform, and notify affected end users where contractually required.
• Treat the 447,600 records as actively weaponized for phishing and smishing campaigns. Tune email and SMS gateways for lures referencing delivery, restaurant, and retail brands tied to Woflow customers.
• Monitor HIBP and dark web feeds for credential overlap between leaked Woflow emails and your own workforce or customer base, and force resets on any reused credentials.
• Audit SaaS supply chain contracts for breach notification SLAs, data minimization clauses, and right-to-audit provisions, especially for vendors aggregating merchant or consumer identity data.
• Harden against ShinyHunters' recurring playbook by enforcing phishing-resistant MFA on SaaS admin accounts, rotating long-lived API tokens, and restricting cloud storage egress.
• Brief fraud and customer support teams on heightened risk of address-based social engineering, including fake delivery disputes and physical package interception scams.

Sources: Woflow Data Breach: 447K Accounts Added to HIBP - TechNadu