ShinyHunters Claim Hallmark as Next Victim: 8M Salesforce Records Compromised


ShinyHuntersā€™ mass enterprise data breach effort continues, this time with US conglomerate Hallmark reportedly falling victim to one of the threat actorsā€™ ransom attacks.Ā 

This particular breach allegedly impacts Hallmark Cards and Hallmark Plus, two distinct arms of the company, and means that 7.9M Salesforce records containing PII and other internal corporate data have reportedly been compromised.

Details of the Breach

According to a recent ShinyHuntersā€™ post, just under 8M Salesforce records containing sensitive customer information and internal company data have been breached. Now, they are at risk of being leaked if Hallmark does not respond to the threat group.Ā 

ā€œThis is a final warning to reach out by 2 Apr 2026 before we leak along with several annoying (digital) problems thatā€™ll come your way,ā€ ShinyHunters wrote on their site. ā€œMake the right decision, donā€™t be the next headline.ā€

This is reminiscent of an update the group put out earlier this month, detailing that several hundred companies are set to release, with final warnings upon failure to comply. The same language was used, stressing these customers to ā€œdo the right thingā€ to avoid becoming the ā€œnext headlineā€.

READ MORE: ā€œPay Up or Become the Next Headlineā€: ShinyHunters Threaten Hacked Salesforce Customers

This time, the groupā€™s warning to Hallmark does not include traditional ransom payment instructions, with no ransom amount or payment demand detailed in the post. It is currently unclear why some customers are met with ransom payments while others are not.

Salesforce consistently stresses that its own software is not the issue in these campaigns, and that Salesforce ā€œremains secureā€.

ā€œAs a matter of policy, Salesforce does not comment on specific customer issues,ā€ a Salesforce spokesperson said. ā€œOur teams are proactively engaged to support customers in any way they need. We have no indication at this time that this issue was caused by any vulnerability in our platform.ā€

SF Ben has reached out to Hallmark for comment.

Security Reminders

With no sign of these breaches slowing down, this is a crucial time to ensure that org-wide security processes and protections are in place in your org, despite Salesforce assuring customers that this is not due to platform vulnerabilities.

This includes keeping the principle of least privilege in mind, considering cloud penetration testing, and keeping tabs on connected apps.

READ MORE: Why Salesforce Orgs Got Hacked So Much in 2025 ā€“ And How to Avoid This in 2026

Salesforce ISVs should also have received an email detailing a new set of security requirements to adhere to by April 13, including changes to OAuth and refresh token timeouts.

SummaryĀ 

Once again, this data breach should alarm businesses that are not 100% confident in their security procedures, as ShinyHunters and other threat actors have continually demonstrated their ability and willingness to attack companies of any size.Ā 

As Robert S. Mueller III, former Director of the FBI, famously said: ā€œThere are only two types of companies: those who have been hacked, and those who will be hackedā€, meaning that if someone is determined enough, they will get through.Ā 

However, this should not deter businesses from giving their customers the best fighting chance to protect their data, as it could mean the difference between being exposed in a small hack or a large-scale ShinyHunters attack.Ā 

READ MORE: Salesforce Data Theft Roundup: Everything You Need to Know

Leave a Reply

Your email address will not be published. Required fields are marked *