ShinyHunters Breached Amtrak via Salesforce — 2.1M Passenger Records Confirmed in HIBP

Infostealer malware operates silently inside browser environments on infected endpoints, harvesting credentials stored by password autofill, active session cookies, and authentication tokens — without generating any user-visible activity. The most prolific infostealers targeting enterprise cloud credentials in 2026 — Lumma Stealer, Vidar, and Redline — specifically target Salesforce authentication artifacts, Microsoft 365 session tokens, and Okta cookies, which are packaged into credential logs and sold on dark web markets for $10–$50 per compromised machine.

In the Amtrak case, infostealer malware targeting at least one employee endpoint harvested Salesforce credentials that provided authenticated access to Amtrak's CRM environment. Once inside, ShinyHunters used automated scripts to enumerate and exfiltrate records — a technique consistent with MITRE ATT&CK T1530 (Data from Cloud Storage) and T1078 (Valid Accounts). Because the access originated from a legitimate authenticated session using real credentials, Amtrak's standard monitoring did not flag the activity as anomalous until after the exfiltration window had closed.

This same credential-to-cloud methodology has been documented across ShinyHunters' entire 2026 campaign. As detailed in our earlier breakdown of the [ShinyHunters McGraw Hill Salesforce breach](/blog/shinyhunters-mcgraw-hill-salesforce-breach-45-million), the group's technical approach is deliberately minimalist: they purchase harvested credentials that let them walk through the front door of cloud platforms as authenticated users. No vulnerability exploitation. No malware deployment on target infrastructure. Just a stolen password and an API query.

When ShinyHunters published the Amtrak dataset after the April 14 ransom deadline passed, security researchers reviewed the leaked material. Have I Been Pwned's Troy Hunt confirmed 2.1 million unique email addresses, with each record carrying the following data fields: full name, email address, street address, and customer support ticket content. The 9.4 million figure ShinyHunters cited reflects total records — including duplicates and multiple entries per individual — not unique affected persons.

Approximately 80% of the exposed email addresses were already present in prior breach compilations in HIBP, indicating that Amtrak passengers who reuse passwords across services face elevated credential stuffing risk from this dataset. The remaining 20% — roughly 420,000 email addresses — represent net-new exposure that did not exist in any prior breach database.

The customer support ticket content is the most operationally dangerous element of the dataset. Support tickets contain context that makes downstream spear-phishing attempts extraordinarily credible: trip dates and routes, complaint narratives, station references, and prior interactions with Amtrak staff. A threat actor with this data can craft phishing emails that reference a specific trip from New York Penn to Washington Union on a specific date, the seat assignment complaint the target filed, or the refund dispute they opened — making the communication indistinguishable from a legitimate Amtrak follow-up. This is not bulk credential stuffing territory. It is raw material for surgical social engineering at scale.

ShinyHunters — tracked as threat cluster UNC6661 and related sub-clusters by Google's Mandiant research team — has operationalised a repeatable, scalable attack factory in 2026. The group acquires infostealer-harvested credentials from dark web markets or conducts voice phishing (vishing) campaigns to steal SSO credentials in real time, then authenticates to cloud platforms, exfiltrates high-value datasets, demands ransom within 72–96 hours, and publishes to their dark web leak site on deadline expiry.

The confirmed 2026 victim list spans critical sectors. McGraw Hill: 13.5 million student and educator accounts leaked via Salesforce misconfiguration. Rockstar Games: 78.6 million records extracted through Anodot, a third-party cloud cost-monitoring SaaS integrated with Rockstar's Snowflake warehouse — covered in the [weekly roundup from April 17](/blog/forticlient-ems-cve-2026-35616-weekly-roundup). Alert360: 2.5 million records from the fifth-largest US home security provider, leaked after ransom talks failed. Hims & Hers: customer support ticket data via Zendesk compromise, breach notification sent April 2. European Commission: 350GB of documents. Wynn Resorts: 800,000 customer and employee records. The group has additionally threatened Crunchbase, Betterment, SoundCloud, and Ameriprise Financial.

Amtrak is the most significant victim from a critical infrastructure perspective. Unlike a gaming company or edtech platform, Amtrak is a government-chartered corporation providing essential national transportation infrastructure. The breach establishes that no sector — including federally connected entities — is outside ShinyHunters' operational scope in 2026.

Google's Mandiant team has published network indicators associated with ShinyHunters' UNC6661 threat cluster from the January–April 2026 campaign. These IOCs should be ingested into SIEM, EDR, and firewall platforms immediately. Particular attention should be paid to the ToogleBox Recall OAuth application indicator — ShinyHunters uses this legitimate-looking application to authorise deletion of MFA notification emails from victims' inboxes, preventing detection of new device enrolments.

ShinyHunters credential harvesting infrastructure follows a consistent domain pattern for vishing and phishing operations: `<companyname>sso.com`, `my<companyname>sso.com`, `<companyname>internal.com`, `<companyname>support.com`, and `<companyname>okta.com`. If your organisation discovers any domains following this pattern registered without your knowledge, treat it as an active targeting indicator.

Extortion contact channels documented in active campaigns: shinycorp@tutanota.com and shinygroup@onionmail.com. The group communicates ransom demands via these addresses and offers Tox IDs for direct negotiation. Do not engage with ransom demands without legal counsel.

ShinyHunters' attack methodology leaves detectable artifacts across identity provider logs, cloud audit trails, and email systems — if your monitoring is configured to capture the right events. The group's vishing-based MFA bypass is detectable at the Okta or Azure AD layer; the subsequent cloud exfiltration is detectable in Salesforce Event Monitoring and Google Workspace audit logs.

The highest-fidelity detection opportunity is the ToogleBox Recall OAuth authorization event. When ShinyHunters registers this application to a compromised Google account, a USER_RESOURCE_ACCESS event with App name 'ToogleBox Recall' and Gmail addons scope is written to Google Workspace audit logs. This event does not occur in normal user activity — any occurrence should trigger immediate account lockdown and investigation.

For Salesforce-specific detection, configure Salesforce Event Monitoring to alert on bulk API query volume exceeding a per-session threshold, login events from anonymized IP ranges (Mullvad, Oxylabs, NetNut, 9Proxy, Infatica, nsocks), and user agent strings associated with scripted access rather than legitimate browser-based Salesforce sessions.

The Amtrak breach and the broader ShinyHunters 2026 campaign make the remediation priorities clear: the attack surface is the identity layer, and the defensive priority is making stolen credentials useless. This requires both phishing-resistant MFA and continuous credential exposure monitoring — neither alone is sufficient.

For Amtrak passengers: check Have I Been Pwned immediately, change your Amtrak account password to a unique strong password, and monitor for spear-phishing emails referencing your travel history. Consider a fraud alert or credit freeze if you provided payment information through customer support. Report suspicious emails to Amtrak at security@amtrak.com.

For organisations running Salesforce, Okta, or Microsoft 365: the browser-based credential theft angle is addressed in detail in our earlier post on [malicious Chrome extensions harvesting OAuth2 tokens](/blog/malicious-chrome-extensions-oauth2-token-theft), which covers the complementary browser-layer attack vector ShinyHunters exploits alongside vishing campaigns.

The Amtrak data breach is a clarifying event for 2026 threat intelligence: ShinyHunters breached national rail infrastructure without exploiting a single software vulnerability. They needed one employee's Salesforce password — harvested by infostealer malware — and automated the rest. The 2.1 million confirmed emails in Have I Been Pwned are the verifiable floor of passenger exposure. If you have an Amtrak account, check HIBP now, change your password, and treat any email referencing your travel history as a potential spear-phish. For security teams: your Salesforce infostealer credential sweep is overdue. Run it today.