Full Report
In April 2026, the fintech software company Abrigo was targeted in a "pay or leak" extortion attempt by the ShinyHunters group. Shortly after, data allegedly taken from the company's Salesforce instance was published publicly and contained over 700k unique email addresses belonging to both Abrigo staff and external contacts. Whilst separate from Abrigo's Salesforce compromise via the Drift application connector the previous year, the data fields described in that incident are consistent with the ShinyHunters data, namely that it was "business contact information" including "institution name, employee name, email addresses, and phone numbers".
Analysis Summary
# Incident Report: Abrigo Salesforce Data Breach (April 2026)
## Executive Summary
In April 2026, the fintech company Abrigo was targeted by the ShinyHunters threat group in a "pay or leak" extortion attempt. Following the company’s refusal to comply, the actors leaked a database containing over 711,000 unique records allegedly exfiltrated from Abrigo’s Salesforce instance. The compromise resulted in the exposure of business contact information for both internal staff and external clients.
## Incident Details
- **Discovery Date:** April 2026
- **Incident Date:** April 2026
- **Affected Organization:** Abrigo (Fintech)
- **Sector:** Financial Technology / Software
- **Geography:** United States (Headquartered)
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026
- **Vector:** Targeted compromise of Salesforce instance.
- **Details:** While the specific entry point is not explicitly detailed in the leak report, the attackers successfully accessed the company's Salesforce environment to aggregate business contact data.
### Lateral Movement
- **Details:** The report indicates movement within the Salesforce environment to access customer and internal staff directories.
### Data Exfiltration/Impact
- **April 2026:** Approximately 711,100 unique records were exfiltrated. The data included professional identifiers such as names, employers, job titles, and contact details.
### Detection & Response
- **April 2026:** The incident was identified when the ShinyHunters group issued a public extortion threat under a "pay or leak" model.
- **May 14, 2026:** The data was verified and added to the "Have I Been Pwned" (HIBP) database for public notification.
## Attack Methodology
- **Initial Access:** Targeted Salesforce compromise (Potential unauthorized API access or credential abuse).
- **Persistence:** Not disclosed.
- **Exfiltration:** Systematic extraction of contact records from the Salesforce CRM.
- **Impact:** Extortion and public data leak.
## Impact Assessment
- **Financial:** Potential regulatory fines and costs associated with victim notification and remediation.
- **Data Breach:** Exposure of 711,100 unique email addresses and associated PII/BII.
- **Operational:** Diversion of security resources to incident response and post-breach audit.
- **Reputational:** High; this follows a similar incident a year prior involving a Drift application connector, potentially signaling recurring vulnerabilities in third-party integrations or CRM security.
## Indicators of Compromise
- **Network indicators:** Activity associated with ShinyHunters infrastructure (Note: Specific IPs/Domains not provided in the source text; analysts should monitor for hxxps[://]x[.]com/DailyDarkWeb for related leak announcements).
- **Behavioral indicators:** Large-scale data exports from Salesforce originating from unusual IP ranges or service accounts.
## Response Actions
- **Containment:** Verification of Salesforce security configurations and rotation of affected credentials.
- **Eradication:** Analysis of the Salesforce instance to identify and remove any unauthorized third-party connectors.
- **Recovery:** Notification of affected employees and external contacts; synchronization with HIBP for transparency.
## Lessons Learned
- **CRM Hardening:** Business contact information, while often considered "low sensitivity," is a primary target for extortion and social engineering.
- **Third-Party Risk:** Recurring issues with application connectors (referencing the previous year's Drift incident) highlight the need for stricter OAuth and API permission reviews.
- **Extortion Trends:** The "pay or leak" model continues to be a preferred tactic for groups like ShinyHunters, necessitating robust offline backups and incident response playbooks that address public relations.
## Recommendations
- **Salesforce Shield:** Implement Salesforce Shield for enhanced event monitoring to detect anomalous data exports in real-time.
- **Least Privilege:** Conduct a comprehensive audit of all Salesforce users and third-party integrations, ensuring they have the minimum access required to function.
- **MFA Enforcement:** Ensure 100% MFA compliance for all administrative and user accounts accessing the CRM.
- **Data Minimization:** Regularly purge old or unnecessary contact records from CRM environments to reduce the blast radius of a potential breach.