ShinyHunters Claims 9.4M Amtrak Records via Salesforce — 2.1M Accounts Confirmed on Have I Been Pwned

ShinyHunters claimed 9.4 million Amtrak records via Salesforce — 2.1 million accounts are independently confirmed on Have I Been Pwned, exposing names, addresses, and customer support interaction records.

WASHINGTON, D.C. — ShinyHunters listed Amtrak on its dark web blog beginning April 12-13, 2026, claiming to have obtained 9.4 million records through Salesforce — the same access vector the group has used against ADT, Udemy, Medtronic, Vimeo, Cisco, Hallmark, and Rockstar Games in the same period. The appearance of a confirmed dataset on Have I Been Pwned — validated with 2.1 million unique email addresses — provides independent corroboration that at least some data was genuinely accessed.

Breach profile

The ShinyHunters Salesforce campaign

The Amtrak breach is the latest confirmed victim of a coordinated ShinyHunters operation using a consistent methodology throughout 2026: social engineering against Salesforce employees, then leveraging Salesforce's trusted integration architecture to reach client organizations' databases without directly targeting those organizations' perimeters. The campaign spans ADT (10M records claimed), Udemy (1.4M), Medtronic (9M), Vimeo (via Anodot), Cisco, Hallmark, and Rockstar Games. The Amtrak incident is a direct sequel to our earlier coverage of ShinyHunters breaching ADT via the same Salesforce vishing chain. All data breach coverage is tracked on The CyberSignal.

Why support records matter

Amtrak's customer database contains a category more operationally useful to attackers than standard PII: customer support interaction records. Support interactions document travel patterns, route preferences, and service history — providing behavioral intelligence that enables highly convincing targeted phishing. An attacker who knows your regular routes can craft fake service disruption notifications with your actual travel details. For a comprehensive understanding of how stolen data gets weaponized, see our explainer on data breaches: risks, response, and prevention.

What to do now

Change your Amtrak account password immediately and enable two-factor authentication if available. Be highly suspicious of any emails referencing past trips, routes, or customer service interactions — the support record exposure makes these attacks particularly convincing. Do not click links in emails referencing Amtrak services; navigate directly to amtrak.com. Check Have I Been Pwned at haveibeenpwned.com to verify whether your email address appears in the confirmed dataset.

The CyberSignal Analysis

Signal 01 — ShinyHunters has operationalized Salesforce as a master key

The consistency of ShinyHunters' methodology across ADT, Udemy, Medtronic, Vimeo, Amtrak, and others confirms that the group has operationalized access to Salesforce's vendor environment as a repeatable attack capability. This is supply chain thinking applied to criminal operations: maximum impact per unit of effort by targeting shared infrastructure rather than individual organizations.

Signal 02 — Customer support records are undervalued in breach assessments

Standard breach assessments focus on SSNs and financial account numbers. Support records contain verified, specific behavioral data that cannot be obtained from data brokers. For attackers crafting targeted social engineering campaigns, this specificity is worth more than a generic PII record. Security teams need to treat support interaction databases with the same sensitivity classification as financial records.

Signal 03 — Amtrak's silence is a risk to 2.1 million passengers

With a confirmed minimum of 2.1 million affected accounts on Have I Been Pwned and no public Amtrak confirmation, millions of passengers have no official indication their data has been compromised. Every day of institutional silence transfers the risk entirely to the individual passengers who trusted Amtrak with their travel data.