[{"data":1,"prerenderedAt":129},["ShallowReactive",2],{"article-slug-shinyhunters-hacking-group-claims-amtrak-breach-threatens-leak":3,"articles-index":-1},{"id":4,"slug":5,"headline":6,"title":7,"summary":8,"full_report":9,"twitter_post":10,"meta_description":11,"category":12,"severity":16,"entities":17,"cves":31,"sources":32,"events":61,"mitre_techniques":68,"mitre_mitigations":80,"d3fend_countermeasures":103,"iocs":104,"cyber_observables":105,"tags":117,"extract_datetime":118,"article_type":119,"impact_scope":120,"pub_date":127,"reading_time_minutes":128,"createdAt":118,"updatedAt":118},"af8f885b-5f2b-488c-900f-2c919b1d15fd","shinyhunters-hacking-group-claims-amtrak-breach-threatens-leak","ShinyHunters Claims Amtrak Breach, Threatens to Leak 9.4M Records","ShinyHunters Hacking Group Claims Breach of Amtrak, Threatens to Leak 9.4 Million Records","The notorious hacking group ShinyHunters has claimed responsibility for a major data breach at Amtrak, the U.S. national railroad operator. The group posted the claim on its dark web forum, alleging the theft of 9.4 million records containing both customer PII and internal corporate data. ShinyHunters asserts the breach was achieved by compromising Amtrak's Salesforce systems, consistent with the group's recent tactics of targeting third-party service employees.","## Executive Summary\nThe prolific hacking group **[ShinyHunters](https://malpedia.caad.fkie.fraunhofer.de/actor/shinyhunters)** has claimed a significant data breach against the National Railroad Passenger Corporation, widely known as **[Amtrak](https://www.amtrak.com)**. In a post on a dark web forum, the group alleges it has exfiltrated 9.4 million records and has threatened to leak the data if a ransom is not paid. The attackers claim the initial access vector was **[Amtrak's](https://www.amtrak.com)** **[Salesforce](https://www.salesforce.com)** environment, which aligns with **[ShinyHunters'](https://malpedia.caad.fkie.fraunhofer.de/actor/shinyhunters)** recent pattern of targeting companies through social engineering attacks aimed at employees of third-party service providers. While the claim is not yet verified with data samples, **[ShinyHunters'](https://malpedia.caad.fkie.fraunhofer.de/actor/shinyhunters)** track record of successful, high-profile breaches lends it significant credibility.\n\n---\n\n## Threat Overview\n**[ShinyHunters](https://malpedia.caad.fkie.fraunhofer.de/actor/shinyhunters)**, a group known for large-scale data breaches and selling stolen data, has listed **[Amtrak](https://www.amtrak.com)** as its latest victim. The group's claim specifies the theft of 9.4 million records, which purportedly include a mix of customer Personally Identifiable Information (PII) and internal company data. The group set a deadline of April 14, 2026, for ransom payment before they would release the data.\n\n### Attack Vector\nThe alleged point of entry is **[Amtrak's](https://www.amtrak.com)** **[Salesforce](https://www.salesforce.com)** instance. This is consistent with a broader campaign by **[ShinyHunters](https://malpedia.caad.fkie.fraunhofer.de/actor/shinyhunters)**, which has been linked to social engineering attacks targeting **[Salesforce](https://www.salesforce.com)** employees to gain access to their customers' environments. This highlights a critical third-party risk, where the security of a major corporation can be undermined by compromising an employee at one of its vendors.\n\n## Technical Analysis\nBased on the claims and **[ShinyHunters'](https://malpedia.caad.fkie.fraunhofer.de/actor/shinyhunters)** known modus operandi, the attack likely followed these steps:\n1.  **Initial Access ([`T1566`](https://attack.mitre.org/techniques/T1566/)):** The attackers conducted a social engineering or phishing campaign targeting **[Salesforce](https://www.salesforce.com)** employees to steal their corporate credentials.\n2.  **Valid Accounts ([`T1078.004`](https://attack.mitre.org/techniques/T1078/004/)):** Using the stolen **[Salesforce](https://www.salesforce.com)** employee credentials, the attackers accessed the administrative backend of their customers' environments, including **[Amtrak's](https://www.amtrak.com)**.\n3.  **Collection & Exfiltration ([`T1530`](https://attack.mitre.org/techniques/T1530/)):** Once inside the **[Salesforce](https://www.salesforce.com)** environment, the attackers used built-in data export functionalities to exfiltrate the 9.4 million records.\n\nThis TTP (Tactics, Techniques, and Procedures) bypasses many of the target's direct perimeter defenses by leveraging trusted access from a third-party vendor.\n\n## Impact Assessment\nIf the claim is accurate, the breach of 9.4 million records from a national transportation provider like **[Amtrak](https://www.amtrak.com)** would have severe consequences:\n-   **Risk to Customers:** The exposure of customer PII could lead to widespread identity theft, financial fraud, and highly targeted phishing campaigns.\n-   **Corporate Espionage:** The theft of internal corporate data could expose sensitive business strategies, financial information, and employee data.\n-   **Reputational Damage:** A breach of this magnitude would severely damage public trust in **[Amtrak's](https://www.amtrak.com)** ability to protect customer data.\n-   **Regulatory Scrutiny:** The incident would likely trigger investigations from federal and state regulators, potentially leading to significant fines.\n\n## IOCs\nNo Indicators of Compromise (IOCs) have been released at this time.\n\n## Detection & Response\nDetecting this type of third-party compromise is challenging. However, organizations can take steps:\n1.  **Cloud Service Auditing (D3-DAM: Domain Account Monitoring):** Regularly audit access logs within major SaaS platforms like **[Salesforce](https://www.salesforce.com)**. Look for anomalous activity, such as logins from unexpected geographic locations, access by support accounts outside of a support ticket context, or large data exports.\n2.  **Data Exfiltration Monitoring:** Implement Data Loss Prevention (DLP) tools and monitor for large, anomalous data exports from cloud platforms.\n3.  **Third-Party Risk Management:** Continuously assess the security posture of critical vendors and demand transparency regarding their internal security controls and incident response procedures.\n\n## Mitigation\n1.  **Enforce MFA on Third-Party Access:** Mandate that any third-party or vendor access to your environment, including SaaS administration, requires **[MFA](https://www.cisa.gov/mfa)**. This is a critical mitigating control.\n2.  **Principle of Least Privilege for Vendors:** Ensure that vendor accounts (like **[Salesforce](https://www.salesforce.com)** support) have the minimum level of access necessary to perform their duties and that access is time-bound and logged.\n3.  **Data Classification and Encryption (M1041):** Classify sensitive data within SaaS platforms and apply additional encryption and access controls where possible, limiting the impact even if an administrative account is compromised.\n4.  **Contractual Obligations:** Ensure that contracts with third-party vendors include strong security requirements, breach notification SLAs, and liability clauses.","Hacking group ShinyHunters claims a massive breach of Amtrak, threatening to leak 9.4M records. 🚂 The group alleges access was gained via Amtrak's Salesforce systems, highlighting major third-party risk. #DataBreach #ShinyHunters #Amtrak","The hacking group ShinyHunters has claimed a breach of Amtrak, alleging the theft of 9.4 million records via the company's Salesforce systems and threatening to leak the data.",[13,14,15],"Data Breach","Threat Actor","Supply Chain Attack","high",[18,21,25,29],{"name":19,"type":20},"ShinyHunters","threat_actor",{"name":22,"type":23,"url":24},"Amtrak","company","https://www.amtrak.com/",{"name":26,"type":27,"url":28},"Salesforce","vendor","https://www.salesforce.com/",{"name":30,"type":23},"National Railroad Passenger Corporation",[],[33,39,45,50,55],{"url":34,"title":35,"date":36,"friendly_name":37,"website":38},"https://www.scmagazine.com/brief/amtrak-allegedly-breached-by-shinyhunters-massive-data-leak-threatened","Amtrak allegedly breached by ShinyHunters, massive data leak threatened","2026-04-15","SC Magazine","scmagazine.com",{"url":40,"title":41,"date":42,"friendly_name":43,"website":44},"https://cybernews.com/news/amtrak-data-leak-shinyhunters/","Hackers threaten to leak over 9M Amtrak records, including personal info","2026-04-14","Cybernews","cybernews.com",{"url":46,"title":47,"date":36,"friendly_name":48,"website":49},"https://www.teiss.co.uk/shinyhunters-amtrak-cyber-attack/","Amtrak named in alleged ShinyHunters cyberattack involving 9.4 million records","TEISS","teiss.co.uk",{"url":51,"title":52,"date":53,"website":54},"https://www.dexpose.io/blog/shinyhunters-breach-national-railroad-passenger-corporation/","ShinyHunters Breach National Railroad Passenger Corporation","2026-04-12","dexpose.io",{"url":56,"title":57,"date":58,"friendly_name":59,"website":60},"https://www.cyberdaily.au/security/10708-wasted-gta-developer-rockstar-games-confirms-hack-as-shinyhunters-demands-pay-or-leak","WASTED! GTA developer Rockstar Games confirms hack as ShinyHunters demands 'pay or leak'","2026-04-13","CyberDaily","cyberdaily.au",[62,65],{"datetime":63,"summary":64},"2026-04-12T00:00:00Z","ShinyHunters posts its claim of breaching Amtrak on a dark web forum.",{"datetime":66,"summary":67},"2026-04-14T00:00:00Z","The deadline set by ShinyHunters for ransom payment passes.",[69,73,76],{"id":70,"name":71,"tactic":72},"T1078.004","Cloud Accounts","Initial Access",{"id":74,"name":75,"tactic":72},"T1566","Phishing",{"id":77,"name":78,"tactic":79},"T1530","Data from Cloud Storage Object","Collection",[81,90,99],{"id":82,"name":83,"d3fend_techniques":84,"description":88,"domain":89},"M1032","Multi-factor Authentication",[85],{"id":86,"name":83,"url":87},"D3-MFA","https://d3fend.mitre.org/technique/d3f:Multi-factorAuthentication","Enforcing MFA for all accounts, especially privileged third-party support accounts, is the most effective defense against this type of compromise.","enterprise",{"id":91,"name":92,"d3fend_techniques":93,"description":98,"domain":89},"M1047","Audit",[94],{"id":95,"name":96,"url":97},"D3-DAM","Domain Account Monitoring","https://d3fend.mitre.org/technique/d3f:DomainAccountMonitoring","Continuously auditing SaaS access logs for anomalous behavior, such as large data exports or unusual login patterns, can help detect a compromised third-party account.",{"id":100,"name":101,"description":102,"domain":89},"M1026","Privileged Account Management","Applying principles of least privilege to vendor accounts, ensuring they only have the access they need, for the time they need it, can limit the 'blast radius' of a compromise.",[],[],[106,111],{"type":107,"value":108,"description":109,"context":110,"confidence":16},"log_source","Salesforce Event Monitoring Logs","Organizations should monitor Salesforce logs for large data exports (ApiEvent), logins from unusual IPs (LoginEvent), or access by support accounts that don't correlate with a support ticket.","SIEM, Cloud Access Security Broker (CASB).",{"type":112,"value":113,"description":114,"context":115,"confidence":116},"user_account_pattern","support@salesforce.com","Monitor for activity from vendor support accounts. While often legitimate, their compromise is a key vector. Activity should be correlated with official support requests.","SaaS security posture management (SSPM) tools.","medium",[19,13,22,26,15,14],"2026-04-16T15:00:00.000Z","NewsArticle",{"geographic_scope":121,"countries_affected":122,"industries_affected":124,"people_affected_estimate":126},"national",[123],"United States",[125],"Transportation","9.4 million customer and employee records","2026-04-16",4,1776358282319]