Data Breach Exposes 103K Customer Records from HVAC Distributor Baker Distributing via SharePoint and Salesforce
What Happened – In May 2026 the ShinyHunters extortion group added Baker Distributing’s environment to its “pay‑or‑leak” site. By early June the group published over 102,900 unique records scraped from the company’s SharePoint and Salesforce platforms, including email addresses, names, phone numbers, physical addresses and support‑ticket details.
Why It Matters for TPRM –
- Exfiltrated corporate contact data can be weaponised for credential‑stuffing, phishing, and BEC attacks against downstream customers and partners.
- The breach demonstrates the risk of third‑party SaaS platforms (SharePoint, Salesforce) when mis‑configured or when credentials are compromised.
- Even “low‑sensitivity” data can amplify supply‑chain risk if attackers map relationships across the HVAC/R ecosystem.
Who Is Affected – Companies in the HVAC/R distribution and services sector, their corporate customers, and any downstream vendors that rely on Baker Distributing’s support tickets or contact lists.
Recommended Actions –
- Review all third‑party SaaS contracts (SharePoint, Salesforce) for security controls and data‑handling clauses.
- Verify that multi‑factor authentication (MFA) and least‑privilege access are enforced for all privileged accounts.
- Conduct a targeted phishing‑simulation for any contacts exposed in the breach and update incident‑response playbooks.
Technical Notes – The breach appears to stem from stolen or weak credentials used to access SharePoint and Salesforce, leading to a large‑scale data exfiltration. No specific CVE was disclosed. Exposed data: email, name, phone, address, support‑ticket metadata. Source: https://haveibeenpwned.com/Breach/BakerDistributing