Full Report
In May 2026, the HVAC/R wholesale distributor Baker Distributing Company was added to the ShinyHunters data extortion group's "pay or leak" site. In early June, the group publicly published data they claimed had been obtained from Baker's SharePoint and Salesforce infrastructure including 103k unique email addresses along with names, physical addresses, phone numbers and tickets relating to the company's HVAC contractor customer base. The exposed data was largely corporate contact and support information with limited sensitivity.
Analysis Summary
# Incident Report: Baker Distributing Company Data Extortion
## Executive Summary
In May 2026, Baker Distributing Company, a wholesale HVAC/R distributor, fell victim to a data extortion attack orchestrated by the threat group ShinyHunters. The attackers successfully exfiltrated 103,000 unique records from the company’s SharePoint and Salesforce environments. The breach resulted in the public release of corporate contact information and customer support tickets after the company was listed on a "pay or leak" site.
## Incident Details
- **Discovery Date:** May 2026 (via threat actor leak site)
- **Incident Date:** May 2026
- **Affected Organization:** Baker Distributing Company
- **Sector:** HVAC/R Wholesale Distribution
- **Geography:** United States
## Timeline of Events
### Initial Access
- **Date/Time:** Pre-May 2026
- **Vector:** Exploitation of Cloud/SaaS Infrastructure
- **Details:** Attackers gained unauthorized access to the organization's SharePoint and Salesforce instances.
### Lateral Movement
- Moving between cloud productivity (SharePoint) and CRM (Salesforce) environments to aggregate customer data and support logs.
### Data Exfiltration/Impact
- **May 2026:** Baker Distributing was added to the ShinyHunters extortion site.
- **Early June 2026:** Approximately 103k records were leaked publicly following failed extortion negotiations.
### Detection & Response
- **Detection:** The incident was identified when the company appeared on a public "pay or leak" portal.
- **Response:** Post-leak notification through services like "Have I Been Pwned" (HIBP) on June 7, 2026.
## Attack Methodology
*Note: Based on available reporting of ShinyHunters' tactics and the specific assets affected.*
- **Initial Access:** Likely through credential stuffing, phishing, or exploitation of misconfigured SaaS API tokens.
- **Persistence:** Access to cloud-based enterprise applications (Office 365/Salesforce).
- **Collection:** Gathering of customer databases and support ticket histories from SharePoint and Salesforce.
- **Exfiltration:** Transfer of 103,000 records to attacker-controlled infrastructure.
- **Impact:** Use of a "Pay or Leak" site to pressure the victim into a ransom payment; subsequent public data release.
## Impact Assessment
- **Financial:** Unknown ransom demand; costs associated with remediation and potential regulatory inquiries.
- **Data Breach:** 102.9k unique email addresses; physical addresses, names, phone numbers, and HVAC contractor support tickets.
- **Operational:** Limited business disruption reported; primary impact was to data confidentiality.
- **Reputational:** Public listing on a dark web leak site and subsequent coverage in cybersecurity news outlets.
## Indicators of Compromise
- **Network indicators:** None disclosed in the public report.
- **File indicators:** Data dump titled "Baker Distributing" published by ShinyHunters.
- **Behavioral indicators:** Unusual API call volume or mass downloads from SharePoint/Salesforce environments.
## Response Actions
- **Containment:** (Assumed) Revocation of compromised credentials and securing of SaaS instances.
- **Eradication:** Investigation into the specific entry point within the Salesforce/Sharepoint configuration.
- **Recovery:** Notification to affected customers (indicated by HIBP entry).
## Lessons Learned
- **SaaS Visibility:** The breach highlights the risk of "data sprawl" across third-party SaaS platforms (Salesforce/SharePoint) which may hold sensitive customer data without the same level of monitoring as on-premise servers.
- **Supply Chain Targeting:** Wholesale distributors are high-value targets due to the volume of downstream contractor data they possess.
## Recommendations
- **Identity Security:** Implement strict Multi-Factor Authentication (MFA) for all cloud-based corporate accounts.
- **SaaS Hardening:** Perform regular security audits of Salesforce and SharePoint permissions to ensure the principle of least privilege.
- **Data Minimization:** Regularly purge old support tickets and inactive customer contact records to reduce the "blast radius" of a potential breach.
- **Threat Monitoring:** Implement Cloud Access Security Broker (CASB) solutions to detect mass data downloads from cloud storage.