Ameriprise Financial had data from approximately 500,000 accounts exposed after the ShinyHunters group exfiltrated over 200GB from its Salesforce and SharePoint systems and published it following failed extortion negotiations.
What happened
According to HIBP and reporting by Cybernews, in March 2026 the threat actor group ShinyHunters targeted Ameriprise Financial in a "pay or leak" extortion campaign. The group claimed to have exfiltrated more than 200GB of compressed data from Ameriprise's Salesforce environment and internal SharePoint infrastructure. After negotiations reportedly failed, the group published the stolen data.
Ameriprise disclosed the incident to state attorneys general, reporting 47,876 directly affected individuals. The broader dataset contains approximately 500,000 unique email addresses, which HIBP notes includes contacts from Ameriprise's wider operational systems and internal staff.
What was exposed
According to HIBP, the published data included names, email addresses, phone numbers, physical addresses, employer information, job titles, and financial transaction data.
Who is affected
Ameriprise reported 47,876 affected people in its state attorney general disclosure. The larger pool of roughly 500,000 email addresses represents a mix of clients and internal staff whose contact details were stored in Ameriprise's operational systems.
What to do now
Ameriprise has advised that it implemented heightened account monitoring and enhanced identity verification procedures, according to its state AG disclosure. Affected individuals should monitor their financial accounts closely for unauthorized activity. Because financial transaction data was exposed, consider placing a fraud alert or credit freeze with the major credit bureaus. Be alert to phishing attempts that may use your name, employer, or other personal details to appear legitimate.