Amtrak Data Breach April 2026: ShinyHunters Steal 2.1 Million Customer Records via Salesforce

The Amtrak data breach is a significant cybersecurity incident in which the prolific hacking group ShinyHunters compromised the national passenger railroad’s customer data environment, exposing the personal information of over 2.1 million travellers. Reported in April 2026, the attack represents a growing class of threat in which cloud platform credentials — not the target organisation’s own defences — become the weakest link in the chain. Here is what happened, why it matters, and what third-party risk professionals must do right now.

What Happened

In mid-April 2026, ShinyHunters — a well-documented financially motivated threat group — announced on a cybercriminal forum that they had obtained a large dataset belonging to Amtrak, the federally chartered passenger rail operator serving millions of travellers across the United States. The group set a deadline of April 14th, threatening to release the data publicly if a ransom payment was not received.

The stolen data subsequently appeared online and was added to the Have I Been Pwned breach notification service on April 17, 2026, confirming the authenticity of at least a portion of the leaked records. The breach affected customers across Amtrak’s national network.

• Breach announced publicly by ShinyHunters: approximately April 11–12, 2026
• Ransom deadline issued: April 14, 2026
• Data confirmed on Have I Been Pwned: April 17, 2026
• Over 2.1 million unique email addresses verified in the leaked dataset

How It Happened: The Attack Vector

You should understand this clearly: Amtrak itself was not necessarily the direct point of entry. According to reporting from cybersecurity analysts, ShinyHunters obtained access by compromising Salesforce — the cloud-based CRM platform Amtrak uses to manage customer relationships and support interactions. The group allegedly conducted social engineering attacks against Salesforce personnel, obtaining legitimate platform credentials that then allowed them to pivot into the environments of organisations using the Salesforce platform.

This is a textbook example of a fourth-party risk scenario: Amtrak relied on Salesforce as a trusted third party, and Salesforce’s own exposure to social engineering became Amtrak’s breach. The attackers’ access reportedly extended beyond Salesforce to other interconnected cloud services, potentially including Microsoft 365 and Atlassian tools used by Amtrak.

• Primary attack method: Social engineering targeting a major SaaS platform vendor
• Access vector: Compromised cloud platform credentials (Salesforce)
• Lateral movement: Potential pivot to interconnected cloud services
• Exfiltration method: Bulk export of customer records from cloud CRM environment

According to guidance from NIST Special Publication 800-161 on supply chain risk management, organisations must assess not only their direct vendor relationships but also the risks inherent in the platforms and services those vendors rely upon.

What Was the Damage

The confirmed scope of the Amtrak breach, based on data verified in the Have I Been Pwned database, includes:

• Over 2.1 million unique customer email addresses
• Customer full names and physical mailing addresses
• Customer support interaction records
• Potentially up to 9.4 million total records as claimed by ShinyHunters, though this figure has not been independently verified

No confirmed evidence emerged of financial payment card data or government identification numbers in the publicly verified portion of the leak. However, the combination of name, email, physical address, and support history is more than sufficient for targeted phishing campaigns, identity fraud, and social engineering attacks against affected individuals. Research shows that breaches involving personally identifiable information typically cost organisations millions in remediation, notification, and regulatory response costs.

Current Situation

As of publication, Amtrak has not released a comprehensive public statement detailing the full scope of the breach or the remediation steps taken. The incident has been reported to the Have I Been Pwned service, which operates as an unofficial public notification resource. Affected customers can check whether their email address was included using that service.

No formal regulatory enforcement action has been publicly announced. However, given Amtrak’s status as a federally connected entity, coordination with the Cybersecurity and Infrastructure Security Agency is standard practice for incidents of this nature. CISA provides free incident response resources for critical infrastructure operators. ShinyHunters continues to be active across multiple industries, making cloud CRM platforms a persistent target.

TPRM Takeaway: What This Means for Risk Professionals

The key takeaway from the Amtrak breach is this: your vendor risk programme must account for the risk your vendors inherit from their own technology stack. If a critical vendor holds your customer data and relies on a SaaS platform that can itself be social-engineered, your organisation is exposed to a fourth-party breach scenario that vendor questionnaires alone will not prevent.

You should immediately take the following steps:

1. Audit SaaS dependencies in your vendor inventory. Identify which critical vendors use Salesforce, Microsoft 365, or similar cloud CRM platforms, and understand what customer data flows through those environments. Review our guide on vendor risk assessment questionnaires for specific questions to add to your due diligence process.
2. Review MFA enforcement across all cloud platforms. Social engineering succeeds when credential compromise alone is sufficient for access. Phishing-resistant multi-factor authentication is a non-negotiable control for any SaaS platform holding sensitive data.
3. Update your vendor criticality tiering. Any vendor whose breach would expose your customer PII — even indirectly through a shared platform — should be classified as critical or high-risk, triggering enhanced monitoring and more frequent reassessment.
4. Review incident notification clauses. Your vendor contracts should require timely breach notification. See our post on vendor contract security clauses for the specific language to require.
5. Assess your own cloud CRM configurations. If your organisation directly uses any of the platforms involved, review access controls, session management, and data export permissions immediately.

Frequently Asked Questions

What happened in the Amtrak data breach of April 2026?

ShinyHunters gained access to Amtrak’s customer data through compromised Salesforce credentials obtained via social engineering. The group threatened to release the data unless a ransom was paid, and the data subsequently appeared publicly, with over 2.1 million customer records confirmed by breach notification services.

How many customers were affected by the Amtrak data breach?

At least 2.1 million unique customer email addresses were confirmed in the leaked dataset. ShinyHunters separately claimed to hold 9.4 million total Amtrak records, though that larger figure has not been independently verified as of publication.

What types of data were exposed in the Amtrak breach?

The confirmed dataset contained customer names, email addresses, physical mailing addresses, and customer support interaction records. No confirmed financial card data or government ID numbers were found in the verified portion of the breach.

How did the Amtrak breach happen technically?

ShinyHunters used social engineering to compromise credentials associated with Salesforce — the CRM platform Amtrak uses for customer management. Those platform credentials then provided access to Amtrak’s data environment, representing a fourth-party risk failure where the attack bypassed Amtrak’s own perimeter defences.

What should organisations do to prevent a similar breach?

Organisations should enforce phishing-resistant multi-factor authentication on all cloud platforms, conduct fourth-party risk assessments of key vendors’ technology stacks, include SaaS platform compromise scenarios in incident response planning, and review vendor contract clauses to ensure breach notification obligations cover platform-level incidents.