Physical addresses data breaches

American Tower had data on over 216,000 employees, contractors, customers, and leads exposed after a ShinyHunters extortion campaign in June 2026.

CFGI, a financial consulting and advisory firm, had data on approximately 248,000 individuals exposed after the ShinyHunters group conducted an extortion campaign and subsequently published corporate contact information.

Berkadia, a commercial real estate finance company, had data from its Salesforce instance published by the ShinyHunters group in March 2026, exposing over 300,000 individuals' contact and employer information.

Mytheresa, a luxury fashion e-commerce platform, had data on approximately 84,000 customers exposed after the ShinyHunters extortion group published it following a failed ransom demand in April 2026.

Ameriprise Financial had data from approximately 500,000 accounts exposed after the ShinyHunters group exfiltrated over 200GB from its Salesforce and SharePoint systems and published it following failed extortion negotiations.

Colombian fintech company Addi suffered a breach in March 2026 affecting over 34 million accounts, exposing financial, identity, and credit-related personal data after the ShinyHunters group claimed responsibility and published the stolen data.

In May 2026, real estate services firm Cushman & Wakefield had data on approximately 310,000 accounts exposed after the ShinyHunters group carried out an extortion campaign and published stolen corporate contact records.

Aman, an ultra-luxury hotel brand, suffered a data breach in April 2026 when ShinyHunters obtained customer records from their Salesforce CRM and later leaked them publicly.

Udemy suffered a data breach affecting 1.4 million accounts, with customer and instructor information including email addresses, names, addresses, phone numbers, and payment methods exposed.

SUCCESS, a personal development media brand, suffered a data breach in March 2026 exposing approximately 253,510 accounts with names, email addresses, phone numbers, and other personal information.

Pitney Bowes suffered a data breach in April 2026 affecting approximately 8.2 million individuals, with ShinyHunters claiming responsibility and publicly releasing the stolen data.

McGraw Hill confirmed a data breach in April 2026 affecting 13.5 million accounts, exposing email addresses, names, phone numbers, and physical addresses due to a Salesforce misconfiguration.

Hallmark suffered a breach in March 2026 after attackers accessed data stored in Salesforce, exposing approximately 1.7 million customer records.

Aura disclosed a data breach in March 2026 affecting over 900,000 customer records, primarily from a marketing tool associated with a previously acquired company.

Amtrak suffered a data breach in April 2026 affecting over 2.1 million accounts, with the hacking group ShinyHunters claiming responsibility and later publishing the stolen data.

ADT confirmed a data breach affecting 5.5 million customers in April 2026, with ShinyHunters claiming responsibility and threatening to leak the data.