Amtrak Breach: 2.1M Emails, Names & Addresses Exposed (2026)

Overview

On April 12, 2026, the notorious hacking group ShinyHunters claimed responsibility for a data breach targeting Amtrak. The group, known for compromising Salesforce instances and extorting victims, subsequently dumped a dataset allegedly containing over 2 million unique records. The leaked data includes 2,147,679 customer accounts, exposing names, email addresses, and physical addresses. This breach was reported to Have I Been Pwned, and affected users can check their exposure at haveibeenpwned.com.

What Was Exposed

The exposed data for each affected customer includes:

• Email Addresses: The primary vector for phishing attacks and spam campaigns.
• Names: Allows attackers to personalize phishing emails, making them more convincing.
• Physical Addresses: This is a significant privacy concern, as it can lead to physical mail scams, targeted advertising, and potential doxxing.

How the Breach Happened

ShinyHunters is a prolific cybercrime group that specializes in breaching organizations’ Salesforce instances. Their modus operandi involves exploiting misconfigured Salesforce environments or using stolen credentials to gain access. After extracting data, they typically demand a ransom from the company. If the ransom is not paid, they publish the stolen data on public forums and dark web marketplaces. In this case, it appears Amtrak either did not pay or the negotiations failed, leading to the public exposure of this customer data.

Who’s Actually Affected

The breach directly affects Amtrak customers who had their account information stored in the compromised Salesforce instance. While the initial impact is limited to Amtrak’s customer base, there is a high probability that ShinyHunters targeted this instance because it contained a large volume of personally identifiable information (PII). The risk extends to anyone who uses the same email address and password across other services, as this data could be used in credential-stuffing attacks.

What to Do Right Now

1. Check If You’re Affected: Visit Have I Been Pwned and enter your email address to see if your data was exposed in this breach.
2. Change Your Password: If you are affected, change your Amtrak account password immediately. Use a strong, unique password that you don’t reuse on other sites.
3. Enable Two-Factor Authentication (2FA): If Amtrak offers 2FA, enable it. This adds a critical second layer of security.
4. Watch for Phishing: Be extremely cautious with any emails, text messages, or physical mail that references your Amtrak account. Do not click on links or download attachments from unknown sources.
5. Monitor Your Credit: While Social Security numbers were not exposed, your name and address are valuable for identity theft. Consider placing a credit freeze or fraud alert with the major credit bureaus.

How to Check If You’re Affected

The most reliable way to confirm if your data was included in this breach is to check Have I Been Pwned. This service has ingested the full dataset and can verify if your email address appears within it. If it does, follow the steps above to secure your accounts.

Security Insight

This breach reveals that Amtrak’s reliance on a third-party Salesforce instance created a vulnerability that a known threat actor could exploit. The fact that ShinyHunters specifically targets Salesforce environments highlights a systemic weakness in how companies configure and secure their CRM platforms. The incident is a stark reminder that organizations must rigorously audit third-party service configurations and implement robust access controls, as a single misconfiguration can lead to the exposure of millions of customer records.

Further Reading

• Amtrak Ransomware Claim by ShinyHunters (April 2026)
• All High Breaches
• Recent Data Breaches