ShinyHunters’ mass enterprise data breach effort continues, this time with US conglomerate Hallmark reportedly falling victim to one of the threat actors’ ransom attacks.
This particular breach allegedly impacts Hallmark Cards and Hallmark Plus, two distinct arms of the company, and means that 7.9M Salesforce records containing PII and other internal corporate data have reportedly been compromised.
Details of the Breach
According to a recent ShinyHunters’ post, just under 8M Salesforce records containing sensitive customer information and internal company data have been breached. Now, they are at risk of being leaked if Hallmark does not respond to the threat group.
“This is a final warning to reach out by 2 Apr 2026 before we leak along with several annoying (digital) problems that’ll come your way,” ShinyHunters wrote on their site. “Make the right decision, don’t be the next headline.”
This is reminiscent of an update the group put out earlier this month, detailing that several hundred companies are set to release, with final warnings upon failure to comply. The same language was used, stressing these customers to “do the right thing” to avoid becoming the “next headline”.
This time, the group’s warning to Hallmark does not include traditional ransom payment instructions, with no ransom amount or payment demand detailed in the post. It is currently unclear why some customers are met with ransom payments while others are not.
Salesforce consistently stresses that its own software is not the issue in these campaigns, and that Salesforce “remains secure”.
“As a matter of policy, Salesforce does not comment on specific customer issues,” a Salesforce spokesperson said. “Our teams are proactively engaged to support customers in any way they need. We have no indication at this time that this issue was caused by any vulnerability in our platform.”
SF Ben has reached out to Hallmark for comment.
Security Reminders
With no sign of these breaches slowing down, this is a crucial time to ensure that org-wide security processes and protections are in place in your org, despite Salesforce assuring customers that this is not due to platform vulnerabilities.
This includes keeping the principle of least privilege in mind, considering cloud penetration testing, and keeping tabs on connected apps.
Salesforce ISVs should also have received an email detailing a new set of security requirements to adhere to by April 13, including changes to OAuth and refresh token timeouts.
Summary
Once again, this data breach should alarm businesses that are not 100% confident in their security procedures, as ShinyHunters and other threat actors have continually demonstrated their ability and willingness to attack companies of any size.
As Robert S. Mueller III, former Director of the FBI, famously said: “There are only two types of companies: those who have been hacked, and those who will be hacked”, meaning that if someone is determined enough, they will get through.
However, this should not deter businesses from giving their customers the best fighting chance to protect their data, as it could mean the difference between being exposed in a small hack or a large-scale ShinyHunters attack.
