Full Report
In April 2026, the hacking group ShinyHunters claimed they had breached Amtrak. The group typically compromises organisations' Salesforce instances before demanding a ransom and later, if not paid, dumping the data publicly. They subsequently published the alleged data which contained over 2M unique email addresses along with names, physical addresses and customer support records.
Analysis Summary
# Incident Report: ShinyHunters Compromise of Amtrak Salesforce Instance
## Executive Summary
In April 2026, the threat actor group "ShinyHunters" claimed responsibility for a data breach involving Amtrak, likely targeting the organization's Salesforce environment. The incident resulted in the exfiltration and subsequent public leak of data belonging to over 2 million customers after ransom demands were presumably not met. The compromised information included PII such as names, physical addresses, and customer support records.
## Incident Details
- **Discovery Date:** April 2026
- **Incident Date:** April 2026
- **Affected Organization:** Amtrak
- **Sector:** Transportation / Rail
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Likely compromise of cloud-based CRM (Salesforce) credentials or misconfiguration.
- **Details:** ShinyHunters specifically targets Salesforce instances to extract customer data.
### Lateral Movement
- **Details:** Information restricted to the compromise of the Salesforce instance; no further lateral movement into internal Amtrak legacy networks was reported in the source text.
### Data Exfiltration/Impact
- **Details:** Attackers successfully exfiltrated a database containing over 2.1 million unique records. After a failed ransom negotiation period, the data was published on public leak forums.
### Detection & Response
- **How it was discovered:** Threat actor public claims and subsequent data dumping.
- **Response actions taken:** Data was indexed by "Have I Been Pwned" on April 17, 2026, to notify victims.
## Attack Methodology
- **Initial Access:** Sophisticated targeting of Salesforce instances (likely through credential stuffing or session hijacking).
- **Persistence:** Not specified, though typically involves maintaining access to cloud API keys.
- **Privilege Escalation:** Exploitation of administrative permissions within the Salesforce environment.
- **Defense Evasion:** Use of legitimate cloud management interfaces to blend with normal traffic.
- **Credential Access:** Likely obtained through prior third-party leaks or phishing.
- **Discovery:** Cloud resource enumeration.
- **Lateral Movement:** N/A (Cloud-tenant specific).
- **Collection:** Bulk export of customer support records and user tables.
- **Exfiltration:** Direct export from cloud storage/SaaS platform.
- **Impact:** Data ransom and public disclosure (Extortion).
## Impact Assessment
- **Financial:** Potential regulatory fines (CCPA/GDPR) and costs associated with victim notification and credit monitoring.
- **Data Breach:** Over 2.1 million unique email addresses, names, physical addresses, and customer support tickets.
- **Operational:** Minimal disruption to physical rail operations; high impact on customer support and legal departments.
- **Reputational:** Significant loss of customer trust regarding the handling of sensitive travel and support data.
## Indicators of Compromise
- **Network indicators:** Activity originating from known VPNs or TOR exit nodes associated with ShinyHunters (specific IPs not provided in source).
- **File indicators:** `amtrak_customers.sql` or similar database dump files localized on leak forums.
- **Behavioral indicators:** Unusual bulk data export activity from Salesforce administrative accounts outside of standard maintenance windows.
## Response Actions
- **Containment measures:** Salesforce account audits and credential resets.
- **Eradication steps:** Revocation of compromised API tokens and OAuth permissions.
- **Recovery actions:** Coordination with "Have I Been Pwned" for victim notification.
## Lessons Learned
- **Key takeaways:** SaaS and Cloud-based CRM platforms are high-value targets that require the same level of security scrutiny as on-premise infrastructure.
- **What could have been done better:** Implementation of stricter IP-based access controls for Salesforce and mandatory Multi-Factor Authentication (MFA) for all administrative users.
## Recommendations
- **MFA Implementation:** Enforce hardware-backed MFA for all cloud service providers.
- **Cloud Auditing:** Enable and monitor Salesforce Shield or similar event monitoring tools to detect bulk data exports.
- **Zero Trust:** Implement "Least Privilege" access, ensuring customer support staff only see the data necessary for their specific tickets rather than the full database.
- **Data Minimization:** Regularly purge old customer support records that are no longer required for business operations.