Full Report
In March 2026, the financial services firm Ameriprise Financial was named by the ShinyHunters group in a "pay or leak" extortion campaign. The group claimed possession of more than 200GB of compressed data exfiltrated from Ameriprise's Salesforce environment and internal SharePoint infrastructure, and subsequently published the data after negotiations allegedly failed. The published data contained 500k unique email addresses as well as names, phone numbers, physical addresses and employer information. In their disclosure to state attorneys general, Ameriprise reported 47,876 affected people; the larger email address population represents contacts from Ameriprise's broader operational systems, including internal staff. Ameriprise further advised that they have "implemented heightened monitoring of your account(s) to include enhanced identity verification procedures".
Analysis Summary
# Incident Report: Ameriprise Financial Data Breach (ShinyHunters Extortion)
## Executive Summary
In March 2026, Ameriprise Financial fell victim to a "pay or leak" extortion campaign orchestrated by the threat actor group ShinyHunters. The attackers exfiltrated approximately 200GB of compressed data from the firm’s Salesforce and SharePoint environments, subsequently leaking the information after ransom negotiations failed. The breach resulted in the exposure of personal information for nearly 48,000 individuals and 500,000 unique email addresses belonging to staff and operational contacts.
## Incident Details
- **Discovery Date:** March 2026 (via extortion threat)
- **Incident Date:** March 2026
- **Affected Organization:** Ameriprise Financial
- **Sector:** Financial Services
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Circa March 2026
- **Vector:** Targeted cloud/SaaS environments.
- **Details:** Attackers gained unauthorized access to Ameriprise’s Salesforce environment and internal SharePoint infrastructure.
### Lateral Movement
- Moving between cloud-based CRM (Salesforce) and internal document management systems (SharePoint) to aggregate high-value data.
### Data Exfiltration/Impact
- **Exfiltration:** Over 200GB of compressed data was stolen.
- **Leak:** After failed negotiations, ShinyHunters published the data on the public web/dark web.
### Detection & Response
- **Discovery:** ShinyHunters publicly named Ameriprise in an extortion campaign.
- **Response:** Notification to State Attorneys General; implementation of heightened account monitoring.
## Attack Methodology
- **Initial Access:** Compromise of cloud service credentials or misconfigured API access (Salesforce/SharePoint).
- **Persistence:** Not explicitly disclosed; likely via hijacked cloud accounts.
- **Privilege Escalation:** Gained sufficient permissions to export large-scale databases from Salesforce.
- **Defense Evasion:** Use of legitimate cloud-to-cloud movement to bypass traditional perimeter security.
- **Credential Access:** Unknown (Likely phishing or credential stuffing).
- **Discovery:** Identified high-value document repositories within SharePoint.
- **Lateral Movement:** Pivoted from CRM (Salesforce) to internal document sites (SharePoint).
- **Collection:** Aggregated 200GB of compressed archives.
- **Exfiltration:** Data transferred out of cloud environments to attacker-controlled infrastructure.
- **Impact:** Data exfiltration and "Pay or Leak" extortion.
## Impact Assessment
- **Financial:** Potential regulatory fines and costs associated with credit monitoring and legal disclosures.
- **Data Breach:** 502,600 unique email addresses; 47,876 detailed PII records including names, phone numbers, physical addresses, and employer info.
- **Operational:** No reported service downtime; primary impact was confidentiality loss.
- **Reputational:** High; public naming by a well-known threat group and presence on "Have I Been Pwned."
## Indicators of Compromise
- **Network indicators:** Activity involving known ShinyHunters exfiltration tools (Note: Specific IPs/URLs not provided in source text).
- **File indicators:** 200GB compressed data archives.
- **Behavioral indicators:** Large-scale data exports from Salesforce and SharePoint occurring outside of normal business patterns.
## Response Actions
- **Containment:** Secured Salesforce and SharePoint environments to prevent further exfiltration.
- **Eradication:** Investigation of the entry point to revoke compromised credentials.
- **Recovery:** Notified 47,876 affected individuals as required by law.
- **Protective Measures:** Implemented "heightened monitoring" of client accounts and enhanced identity verification procedures.
## Lessons Learned
- **Cloud Visibility:** Massive data exfiltration from Salesforce and SharePoint suggests a need for better monitoring of "normal" data export volumes.
- **Negotiation Policy:** The firm chose not to meet extortion demands, leading to a public data leak, highlighting the importance of robust offline backups and data encryption.
- **Identity Security:** The reliance on "enhanced identity verification" post-incident suggests that MFA or verification steps may have been circumvented or were insufficient during the initial attack.
## Recommendations
- **Implement Cloud Access Security Broker (CASB):** Monitor and limit the volume of data that can be downloaded/exported from Salesforce and SharePoint.
- **Zero Trust Architecture:** Ensure that access to SharePoint is restricted via device health checks and strict MFA.
- **Data Minimization:** Review data retention policies in SaaS environments to ensure 200GB of sensitive data is not unnecessarily "warm" and accessible.
- **Defensive Monitoring:** Set alerts for bulk data movement to non-corporate IP ranges.