Hallmark Salesforce Breach Exposed 1.7 Million Customer Records
Hallmark disclosed a breach affecting about 1.7 million people after attackers allegedly accessed customer data stored in its Salesforce environment and then attempted to extort the company. After the ransom deadline expired, the stolen information was reportedly published online. The incident has been attributed to ShinyHunters, and the exposed records included email addresses tied to Hallmark and the Hallmark+ streaming service, along with names, phone numbers, physical addresses, and customer support ticket data.
The breach has drawn attention because it mirrors other recent Salesforce-related compromises and raises fresh concerns about how organizations protect third-party hosted customer data. The stolen email addresses were added to Have I Been Pwned, which said 82% of them had already appeared in earlier breaches, indicating substantial overlap with previously exposed accounts while still expanding the pool of affected Hallmark customers.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
5 events from the most recent confirmed update back to the earliest known activity.
Hallmark disclosed breach affecting 1.7 million people
By April 2026, Hallmark had disclosed a data breach affecting roughly 1.7 million individuals following the compromise of its Salesforce environment. Public reporting highlighted the exposure of customer contact details and renewed scrutiny of Salesforce-related security incidents.
Have I Been Pwned added Hallmark breach data
Have I Been Pwned listed the Hallmark breach and added 1.7 million unique email addresses from the incident to its corpus. HIBP reported that 82% of those addresses had already appeared in previous breaches.
Stolen Hallmark data was published after extortion deadline passed
The attackers allegedly published the stolen Hallmark data on their website after the extortion deadline expired. Reporting attributed the incident to the ShinyHunters group and said about 1.7 million people were affected.
Attackers attempted to extort Hallmark over stolen data
After obtaining the data, the attackers allegedly issued an extortion or ransom demand to Hallmark. Hallmark reportedly did not meet the demand before the deadline expired.
Hallmark's Salesforce environment was breached
In March 2026, attackers reportedly compromised Hallmark's Salesforce environment and accessed customer data tied to Hallmark and the Hallmark+ streaming service. The exposed information reportedly included names, email addresses, phone numbers, physical addresses, and support tickets.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
4 references tracked. Mallory keeps watching after this page renders.
Hallmark data breach escalates as hackers leak and sell customer records| Cybernews
cybernews.com
Open sourceHallmark Data Breach Exposes 1.7 Million Customers - Cyberwarzone
cyberwarzone.com
Open sourceHave I Been Pwned: Hallmark Data Breach
haveibeenpwned.com
Open sourceSerial attackers threaten to spill Hallmark’s internal data | Cybernews
cybernews.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
McGraw Hill breach exposed 13.5 million accounts after Salesforce webpage misconfiguration
McGraw Hill confirmed that attackers accessed a limited set of internal data through a misconfigured Salesforce-hosted webpage, after the **ShinyHunters** extortion group claimed responsibility and threatened to publish stolen information unless a ransom was paid. The company said the incident was tied to a broader issue affecting multiple organizations using Salesforce-hosted environments and maintained that its Salesforce accounts, customer databases, courseware, internal systems, Social Security numbers, financial account information, and student data from its educational platforms were not impacted. After the extortion deadline passed, data tied to **13.5 million** McGraw Hill user accounts was reportedly leaked publicly, with **Have I Been Pwned** saying the dump contained more than **100GB** of files, including unique email addresses and some names, physical addresses, and phone numbers. The leak contradicted earlier company statements that the exposed data was limited and non-sensitive, while ShinyHunters separately claimed to hold **45 million** Salesforce records; McGraw Hill said it secured the affected webpages, brought in external cybersecurity experts, and is working with Salesforce to strengthen protections.
May 3, 2026
Klue OAuth Supply-Chain Breach Exposed Salesforce Data Across Multiple Customers
Attackers breached **Klue**, a market intelligence platform, by abusing a compromised legacy integration credential and planting malicious code that harvested customer OAuth tokens from Klue's integration infrastructure. The stolen tokens were then used to access connected **Salesforce** environments through the Klue Battlecards app and exfiltrate CRM data via Salesforce REST API queries, with reporting describing automated Python-based collection, burst querying, and use of endpoints such as `/services/data/v59.0/query/*`. Klue said it detected unauthorized activity on June 12, revoked affected credentials and tokens, removed the malicious code, disabled impacted integrations, engaged CrowdStrike, and notified law enforcement, while **Salesforce** separately disabled the Klue Battlecards connection and said the incident did not result from a vulnerability in the Salesforce platform itself. The breach has been linked by Huntress and other responders to the **Icarus** extortion group, which allegedly sent ransom emails and threatened to leak stolen data on its site. Publicly disclosed victims include Huntress, Recorded Future, Jamf, Tanium, HackerOne, OneTrust, Snyk, Sprout Social, Gong, Insurity, and others, with exposed information generally limited to business CRM records such as contacts, account data, quotes, sales communications, and contract-related details. Affected companies said there was no evidence that core products, internal infrastructure, passwords, payment card data, engineering systems, or customer security telemetry were compromised, but several warned that the stolen contact data could be used in follow-on phishing and social engineering campaigns.
Jun 23, 2026
ShinyHunters Extorts Charter and ZenBusiness After SaaS Account Breaches
Charter Communications confirmed a data breach after **ShinyHunters** threatened to leak allegedly stolen data, with the group claiming it accessed the company on April 1 through a voice-phishing attack that compromised an employee's Microsoft Entra account and opened a path into Charter's Salesforce environment. The attackers said they stole **40 million customer records**, including names, contact details, plan information, support ticket data, and some customer proprietary network information, while Charter said it notified authorities and, based on the data published, no sensitive personal information or CPNI was exfiltrated. The Charter incident follows a broader ShinyHunters extortion campaign targeting enterprise single sign-on accounts and connected SaaS platforms, especially **Salesforce**. In a separate case, the group claimed it stole several terabytes of data from **ZenBusiness** via platforms including Salesforce, Snowflake, and Mixpanel, and threatened to publish the data unless the company responded. Reporting also linked the campaign to claims involving Ameriprise Financial, Infinite Campus, Bumble, Hinge, Match, OkCupid, Mercer Advisors, Beacon Pointe Advisors, and attacks affecting Instructure's Canvas platform, underscoring a repeatable pattern of social engineering, SaaS data theft, and leak-site extortion.
May 30, 2026