CFGI Breach: 248K Records, Emails & Addresses Exposed (2026)

Overview

In March 2026, the financial consulting and advisory firm CFGI was targeted in a “pay-or-leak” extortion campaign by the threat actor group ShinyHunters. The group publicly released a dataset allegedly stolen from CFGI, containing corporate contact information for 248,235 individuals. The compromised data includes email addresses, names, phone numbers, and physical addresses. The breach was reported to Have I Been Pwned (HIBP), allowing affected individuals to verify their exposure.

What Was Exposed

The leaked dataset contains 248,235 unique records, each including:

• Email Addresses - the primary identifier for account takeover attempts and phishing campaigns.
• Names - can be combined with other data for targeted social engineering.
• Phone Numbers - enables smishing (SMS phishing) and vishing (voice phishing) attacks.
• Physical Addresses - a privacy risk that can be used for physical credential theft or doxing.

While no financial data or Social Security numbers were confirmed exposed, the combination of contact details is a goldmine for scammers crafting convincing spear-phishing emails, texts, or phone calls impersonating CFGI or other trusted entities.

How the Breach Happened

ShinyHunters is a known threat actor group that specializes in extortion-driven data breaches. In this case, CFGI was subjected to a “pay-or-leak” campaign, where attackers exfiltrated corporate data and demanded a ransom to prevent its public release. When CFGI declined to pay, ShinyHunters leaked the dataset. The exact technical vector (e.g., compromised credentials, vulnerability exploitation, or third-party access) has not been disclosed, but the severity of the breach is rated HIGH due to the volume and sensitivity of the exposed data.

Account Takeover Risks

With email addresses exposed, affected individuals face an elevated risk of account takeover (ATO) attacks. Attackers may attempt to use the same email-password combinations from other breaches (credential stuffing) to access corporate accounts or personal services like email, social media, and banking. Although passwords were not directly confirmed in this breach, the presence of email addresses alone is sufficient for credential stuffing campaigns when paired with other breach databases.

What to Do Right Now

If you believe you may be affected by the CFGI breach, take the following steps immediately:

1. Check if you’re affected - Visit Have I Been Pwned and enter your email address to see if it appears in the CFGI dataset.
2. Change passwords - For any account linked to the same email address, update your password using a strong, unique credential. Enable two-factor authentication (2FA) wherever possible.
3. Enable 2FA on all accounts - Use an authenticator app or hardware key, not SMS-based 2FA, which is vulnerable to SIM-swapping.
4. Be alert for phishing - Expect emails, texts, or calls impersonating CFGI or related services. Never click links or download attachments from unsolicited messages. Verify sender identity directly through official channels.
5. Monitor financial accounts - While no financial data was exposed, monitor bank and credit card statements for unauthorized transactions over the next several months.

How to Check If You’re Affected

The quickest way to confirm exposure is to visit Have I Been Pwned and search for your email address. HIBP maintains a searchable database of all records included in this breach. If your email appears, assume that your associated name, phone number, and physical address are also in the hands of attackers. Consider freezing your credit with the three major bureaus (Equifax, Experian, TransUnion) as a precaution, even though SSNs were not reported exposed.

Security Insight

The CFGI breach underscores the growing prevalence of extortion-as-a-service within the cybercriminal ecosystem. ShinyHunters, known for targeting both consumers and enterprises, exploits corporate reluctance to pay ransoms by publicly shaming victims through data leaks. For a firm handling sensitive financial consulting data, the failure to prevent data exfiltration raises questions about network segmentation and access control. This incident parallels other recent extortion campaigns against professional services firms, highlighting a systemic vulnerability in the sector’s approach to securing bulk PII.

Further Reading

• All High Breaches
• Recent Data Breaches