Baker Distributing Breach: 103K Contractor Customers Exposed (2026)

Overview

On May 25, 2026, the ShinyHunters data extortion group added HVAC/R wholesale distributor Baker Distributing Company to its “pay or leak” site. By early June, the group publicly released data it claimed was stolen from Baker’s SharePoint and Salesforce environments. The dump contains 102,935 unique email addresses along with names, physical addresses, phone numbers, and internal support tickets tied to the company’s HVAC contractor customer base. The breach was disclosed to Have I Been Pwned (HIBP), and affected individuals can now check if their data is among the exposed records.

While the exposed data is primarily business contact and support information - not financial accounts or Social Security numbers - the scale (103K records) and the public nature of the leak create real risks for contractors, their businesses, and their personal privacy.

What Was Exposed

The leaked dataset includes:

• Email addresses: The primary identifier used for both business and personal correspondence.
• Names: Full names of contractor contacts and support staff.
• Phone numbers: Direct business lines and likely personal mobile numbers.
• Physical addresses: Street addresses, often tied to contractor companies or home offices.
• Support tickets: Internal Salesforce records containing notes about HVAC system issues, service histories, and possibly client-specific equipment details or contractual terms.

None of the leaked data is considered highly sensitive in isolation, but combined, it creates a detailed profile for each affected contractor - enough for targeted phishing, social engineering, or business identity theft.

How the Breach Happened

The ShinyHunters group - known for extortion-driven breaches and data sales - claimed access was gained through Baker Distributing’s SharePoint and Salesforce cloud infrastructure. The exact initial attack vector has not been publicly confirmed, but the pattern suggests either credential compromise (such as a stolen admin password) or an unsecured API access point. The data was then exfiltrated before extortion demands were made.

This is a classic cloud misconfiguration or inadequate access control scenario - common among mid-sized distributors with complex B2B operations where multiple cloud services handle sensitive customer data.

Account Takeover Risks

Because the leak includes active email addresses, the primary risk is credential harvesting and targeted phishing. Attackers can:

• Send spear-phishing emails posing as Baker Distributing support (e.g., fake invoices, urgent account verification).
• Attempt password reuse attacks across contractor portals or personal accounts - especially if contractors use the same email for both business and personal logins.
• Use full names and phone numbers to socially engineer reset attempts on linked accounts (e.g., Microsoft 365, CRMs, or utility portals).

Individuals who use the same password for Baker Distributing as for other services face elevated account takeover risk.

What to Do Right Now

1. Change passwords on any Baker Distributing-related accounts immediately. Use unique, complex passwords - ideally generated by a password manager.
2. Enable multi-factor authentication (MFA) on all email accounts, especially those used for business communications. MFA blocks most credential-based attacks.
3. Be skeptical of unsolicited emails, calls, or texts that reference your Baker Distributing account. Do not click links or download attachments unless you can independently verify the sender.
4. Monitor for phishing attempts - watch for messages that use your name, address, or recent service history to appear legitimate.
5. Consider freezing your business credit profile if your contractor business relies on credit lines or vendor accounts - identity theft for B2B accounts is a growing threat.

How to Check If You’re Affected

Baker Distributing’s breach has been loaded into Have I Been Pwned. You can visit HIBP and search your email address to see if it appears in this specific leak. The entry includes the 102,935 unique email addresses along with the other exposed fields. If you are a Baker Distributing contractor or have ever worked with them, it is highly recommended to check - even if you have not received a direct notification.

Security Insight

This breach underscores a recurring vulnerability in B2B distribution networks: the gap between internal cloud security and external contractor data protection. Baker Distributing stored contractor contact and support data inside Salesforce and SharePoint without apparent segmentation or access logging, allowing a single compromise to expose the entire customer base. It mirrors similar leaks seen in the manufacturing and logistics sectors in 2025-2026, where cloud misconfigurations accounted for over 40% of reported data exposure events. For contractors, the lesson is clear: treat any business partner portal as a potential vulnerability - never reuse passwords across platforms and assume that support tickets contain more personal data than you intend.

Further Reading

• All High Breaches
• Recent Data Breaches