Amtrak Exposes Over 2.1 Million Customer Records After ShinyHunters Salesforce Compromise
What Happened
In April 2026 the hacking group ShinyHunters announced they had infiltrated Amtrak’s Salesforce environment and exfiltrated more than 2 million unique records. The leaked dataset includes email addresses, full names, physical mailing addresses and customer‑support ticket details.
Why It Matters for TPRM
- A breach of a transportation‑service provider demonstrates that even legacy public‑sector vendors can be compromised through cloud‑SaaS mis‑configurations.
- Exposure of personal identifiers and support‑ticket content raises the risk of credential stuffing, phishing, and downstream supply‑chain attacks on partners that integrate with Amtrak’s APIs.
Who Is Affected
- Rail and broader transportation operators
- Travel‑booking platforms and ticket‑resellers that rely on Amtrak’s data feeds
- SaaS vendors (Salesforce, CRM integrators) that host or process Amtrak‑related workloads
Recommended Actions
- Inventory all contracts and data flows that involve Amtrak or its Salesforce‑based services.
- Verify that your vendor risk program includes continuous monitoring of SaaS configuration hygiene.
- Request Amtrak’s incident‑response report and any remediation steps taken; update your own breach‑response playbooks accordingly.
Technical Notes
- Attack vector: Compromise of mis‑configured Salesforce instance (likely credential theft or exploitation of insecure API endpoints).
- CVEs: None disclosed.
- Data types exposed: Email addresses, full names, physical mailing addresses, customer‑support ticket content.