Abrigo Data Breach: 711K Emails & Contacts Exposed (2026)

Overview

In April 2026, fintech software provider Abrigo became the target of a “pay or leak” extortion attempt by the ShinyHunters threat group. The attackers claimed to have stolen data from Abrigo’s Salesforce instance, and shortly after the ransom deadline passed, a dataset containing over 711,000 unique email addresses was published publicly. The leaked information consists of business contact data - including names, email addresses, and phone numbers - associated with both Abrigo staff and external contacts at financial institutions. The breach was reported to Have I Been Pwned, where affected individuals can verify if their data was included.

What Was Exposed

The leaked dataset contains three primary fields: email addresses, names, and phone numbers. While this is classified as “business contact information” - similar to data exposed in a prior Abrigo incident involving the Drift application connector - the scale is significant. Over 711,000 unique email addresses were published, making this one of the larger contact-data leaks in the fintech sector this year. The data appears to originate from Abrigo’s Salesforce CRM instance, which stored records of interactions with financial institution clients and prospects.

How the Breach Happened

ShinyHunters gained access to Abrigo’s Salesforce environment, likely through compromised credentials or an exposed API endpoint. The group then exfiltrated the contact database and demanded payment to delete the data. When Abrigo did not pay, the attackers published the full dataset publicly. Notably, this incident is separate from Abrigo’s earlier Salesforce compromise via the Drift application connector, suggesting that the company’s Salesforce instance had multiple points of exposure or that remediation from the prior incident was incomplete.

Who’s Actually Affected

While the breach originated at Abrigo, the affected individuals are primarily employees and contacts at client financial institutions - banks, credit unions, and other lending organizations that use Abrigo’s software. If your work email is associated with a financial institution that uses Abrigo’s platform, your contact information may have been exposed. This is a classic supply-chain data leak: the damage radiates outward from the vendor to its customers’ staff.

How to Check If You’re Affected

You can verify whether your email address was included in this breach by visiting Have I Been Pwned and entering your email address. If your email appears in the breach, proceed with the recommendations below.

Recommendations

Although no passwords or financial account numbers were exposed, the leaked contact information enables targeted phishing and social engineering attacks. Threat actors may use the exposed names, emails, and phone numbers to craft convincing messages that appear to come from colleagues or trusted vendors.

• Be wary of unsolicited communications: If you receive an email, text, or phone call referencing Abrigo or your financial institution, verify the sender’s identity through a separate channel before clicking links or providing information.
• Enable multi-factor authentication (MFA): Turn on MFA for all work-related accounts, especially those tied to financial systems or CRM platforms. This adds a critical layer of defense even if credentials are later compromised.
• Monitor for targeted phishing: Financial institution employees are high-value targets. Report any suspicious messages to your IT or security team immediately.
• Update contact preferences: If you have an account directly with Abrigo, consider updating your contact settings or requesting removal from non-essential mailing lists to limit future exposure.

Security Insight

This breach exposes a troubling pattern: Abrigo suffered a similar Salesforce data leak in 2025 via the Drift connector, and now a second, larger exposure via the same Salesforce instance in 2026. For a company that handles sensitive financial data, two consecutive CRM breaches within a year signals a systemic failure in access control and third-party integration security. Fintech vendors must treat business contact data as sensitive - because it is the fuel for highly targeted phishing campaigns against the financial sector.

Further Reading

• All High Breaches
• Recent Data Breaches