ShinyHunters Hacking Group Claims Breach of Amtrak, Threatens to Leak 9.4 Million Records

ShinyHunters Claims Amtrak Breach, Threatens to Leak 9.4M Records

HIGH
April 16, 2026
April 17, 2026
4m read
Data BreachThreat ActorSupply Chain Attack

Impact Scope

People Affected

9.4 million customer and employee records

Industries Affected

Transportation

Geographic Impact

United States (national)

Related Entities(initial)

Threat Actors

ShinyHunters

Organizations

Salesforce

Other

AmtrakNational Railroad Passenger Corporation

MITRE ATT&CK Techniques

T1078.004Initial Access

Cloud Accounts

T1530Collection

Data from Cloud Storage Object

T1566Initial Access

Phishing

Full Report(when first published)

Executive Summary

The prolific hacking group ShinyHunters has claimed a significant data breach against the National Railroad Passenger Corporation, widely known as Amtrak. In a post on a dark web forum, the group alleges it has exfiltrated 9.4 million records and has threatened to leak the data if a ransom is not paid. The attackers claim the initial access vector was Amtrak's Salesforce environment, which aligns with ShinyHunters' recent pattern of targeting companies through social engineering attacks aimed at employees of third-party service providers. While the claim is not yet verified with data samples, ShinyHunters' track record of successful, high-profile breaches lends it significant credibility.

Threat Overview

ShinyHunters, a group known for large-scale data breaches and selling stolen data, has listed Amtrak as its latest victim. The group's claim specifies the theft of 9.4 million records, which purportedly include a mix of customer Personally Identifiable Information (PII) and internal company data. The group set a deadline of April 14, 2026, for ransom payment before they would release the data.

Attack Vector

The alleged point of entry is Amtrak's Salesforce instance. This is consistent with a broader campaign by ShinyHunters, which has been linked to social engineering attacks targeting Salesforce employees to gain access to their customers' environments. This highlights a critical third-party risk, where the security of a major corporation can be undermined by compromising an employee at one of its vendors.

Technical Analysis

Based on the claims and ShinyHunters' known modus operandi, the attack likely followed these steps:

  1. Initial Access (T1566): The attackers conducted a social engineering or phishing campaign targeting Salesforce employees to steal their corporate credentials.
  2. Valid Accounts (T1078.004): Using the stolen Salesforce employee credentials, the attackers accessed the administrative backend of their customers' environments, including Amtrak's.
  3. Collection & Exfiltration (T1530): Once inside the Salesforce environment, the attackers used built-in data export functionalities to exfiltrate the 9.4 million records.

This TTP (Tactics, Techniques, and Procedures) bypasses many of the target's direct perimeter defenses by leveraging trusted access from a third-party vendor.

Impact Assessment

If the claim is accurate, the breach of 9.4 million records from a national transportation provider like Amtrak would have severe consequences:

  • Risk to Customers: The exposure of customer PII could lead to widespread identity theft, financial fraud, and highly targeted phishing campaigns.
  • Corporate Espionage: The theft of internal corporate data could expose sensitive business strategies, financial information, and employee data.
  • Reputational Damage: A breach of this magnitude would severely damage public trust in Amtrak's ability to protect customer data.
  • Regulatory Scrutiny: The incident would likely trigger investigations from federal and state regulators, potentially leading to significant fines.

IOCs

No Indicators of Compromise (IOCs) have been released at this time.

Detection & Response

Detecting this type of third-party compromise is challenging. However, organizations can take steps:

  1. Cloud Service Auditing (D3-DAM: Domain Account Monitoring): Regularly audit access logs within major SaaS platforms like Salesforce. Look for anomalous activity, such as logins from unexpected geographic locations, access by support accounts outside of a support ticket context, or large data exports.
  2. Data Exfiltration Monitoring: Implement Data Loss Prevention (DLP) tools and monitor for large, anomalous data exports from cloud platforms.
  3. Third-Party Risk Management: Continuously assess the security posture of critical vendors and demand transparency regarding their internal security controls and incident response procedures.

Mitigation

  1. Enforce MFA on Third-Party Access: Mandate that any third-party or vendor access to your environment, including SaaS administration, requires MFA. This is a critical mitigating control.
  2. Principle of Least Privilege for Vendors: Ensure that vendor accounts (like Salesforce support) have the minimum level of access necessary to perform their duties and that access is time-bound and logged.
  3. Data Classification and Encryption (M1041): Classify sensitive data within SaaS platforms and apply additional encryption and access controls where possible, limiting the impact even if an administrative account is compromised.
  4. Contractual Obligations: Ensure that contracts with third-party vendors include strong security requirements, breach notification SLAs, and liability clauses.

Timeline of Events

1
April 12, 2026
ShinyHunters posts its claim of breaching Amtrak on a dark web forum.
2
April 14, 2026
The deadline set by ShinyHunters for ransom payment passes.
3
April 16, 2026
This article was published

Article Updates

April 17, 2026

Severity increased

ShinyHunters has publicly leaked over 2.1 million Amtrak customer records, including emails, names, and addresses, confirming the previously threatened breach.

ShinyHunters has publicly leaked over 2.1 million Amtrak customer records on April 17, 2026, confirming the previously threatened breach. The leaked dataset includes unique email addresses, names, and physical addresses, and has been ingested by services like Have I Been Pwned. This development escalates the incident from a claimed threat to a verified data exposure, significantly increasing the impact on affected individuals. The breach continues to be attributed to a compromised Salesforce environment, consistent with the group's recent tactics.

Update Sources:
haveibeenpwned.comAmtrak Data Breach
scmagazine.comAmtrak allegedly breached by ShinyHunters, massive data leak threatened
cybernews.comHackers threaten to leak over 9M Amtrak records, including personal info

Timeline of Events

1
April 12, 2026

ShinyHunters posts its claim of breaching Amtrak on a dark web forum.

2
April 14, 2026

The deadline set by ShinyHunters for ransom payment passes.

Sources & References(when first published)

Amtrak allegedly breached by ShinyHunters, massive data leak threatened
scmagazine.comApril 15, 2026
Hackers threaten to leak over 9M Amtrak records, including personal info
cybernews.comApril 14, 2026
Amtrak named in alleged ShinyHunters cyberattack involving 9.4 million records
teiss.co.ukApril 15, 2026
ShinyHunters Breach National Railroad Passenger Corporation
dexpose.ioApril 12, 2026
WASTED! GTA developer Rockstar Games confirms hack as ShinyHunters demands 'pay or leak'
cyberdaily.auApril 13, 2026

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

AmtrakData BreachSalesforceShinyHuntersSupply Chain AttackThreat Actor

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.