Full Report
In March 2026, Hallmark suffered an alleged breach and subsequent extortion after attackers gained access to data stored within Salesforce. The data was later published after the extortion deadline passed, exposing 1.7M unique email addresses across both Hallmark and the Hallmark+ streaming service, along with names, phone numbers, physical addresses and support tickets.
Analysis Summary
# Incident Report: Hallmark Salesforce Breach and Extortion
## Executive Summary
In March 2026, Hallmark experienced a significant data breach involving the unauthorized access of its Salesforce environment by external threat actors. The incident resulted in the exfiltration of personal data belonging to 1.7 million users, which was subsequently published online following a failed extortion attempt. The breach impacted both the primary Hallmark brand and its Hallmark+ streaming service.
## Incident Details
- **Discovery Date:** April 12, 2026 (Public disclosure/HIBP integration)
- **Incident Date:** March 2026
- **Affected Organization:** Hallmark / Hallmark+
- **Sector:** Retail / Entertainment (Streaming Services)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Exploitation of Salesforce cloud environment.
- **Details:** Attackers gained unauthorized access to data stored within Hallmark’s Salesforce instance.
### Lateral Movement
- **Details:** Specific lateral movement techniques within the cloud environment were not disclosed, though access extended across both retail and streaming service databases.
### Data Exfiltration/Impact
- **Details:** Attackers exfiltrated 1.7 million unique records including PII and support tickets. Following the exfiltration, the attackers initiated extortion proceedings against Hallmark.
### Detection & Response
- **Discovery:** Presence of data on leak sites/extortion communication.
- **Response Actions:** Hallmark chose not to meet the extortion demands, leading to the public release of the data. The incident was added to the "Have I Been Pwned" database on April 12, 2026.
## Attack Methodology
- **Initial Access:** Unauthorized access to Salesforce (Cloud Service Provider).
- **Persistence:** Not disclosed.
- **Privilege Escalation:** Not disclosed.
- **Defense Evasion:** Not disclosed.
- **Credential Access:** Potential credential theft or misconfiguration exploitation.
- **Discovery:** Targeting of high-value customer CRM data.
- **Lateral Movement:** Access spanned across multiple business units (Hallmark and Hallmark+).
- **Collection:** Automated extraction of customer records and support logs.
- **Exfiltration:** Transfer of data to attacker-controlled infrastructure.
- **Impact:** Data breach and public extortion.
## Impact Assessment
- **Financial:** Potential regulatory fines (GDPR/CCPA) and loss of customer lifetime value; specific extortion demand amount undisclosed.
- **Data Breach:** 1.7 million unique email addresses, names, phone numbers, physical addresses, and contents of support tickets.
- **Operational:** Disruption to customer support services due to exposed ticket history.
- **Reputational:** High; public exposure of customer data on leak sites and notification via Have I Been Pwned.
## Indicators of Compromise
- **Network indicators:** None disclosed in the summary.
- **File indicators:** None disclosed.
- **Behavioral indicators:** Large-scale data exports from Salesforce originating from suspicious IP addresses or unauthorized user accounts.
## Response Actions
- **Containment:** Data was already exfiltrated; focus shifted to post-breach mitigation.
- **Eradication:** Securing Salesforce credentials and auditing permissions.
- **Recovery:** Customer notification and integration with HIBP for transparency.
## Lessons Learned
- **Cloud Security Posture:** Data stored in third-party SaaS platforms like Salesforce requires stringent access controls and monitoring.
- **Extortion Policy:** Hallmark demonstrated a policy of not paying ransoms, which protects against funding future attacks but results in data exposure.
- **Data Minimization:** The exposure of support tickets indicates that legacy or sensitive communication logs may have been retained longer than necessary.
## Recommendations
- **Identity & Access Management:** Implement strict Multi-Factor Authentication (MFA) for all Salesforce administrative and user accounts.
- **SaaS Auditing:** Conduct regular audits of Salesforce "Who Sees What" permissions to ensure the principle of least privilege.
- **Encryption:** Use Salesforce Shield or similar tools to encrypt sensitive fields (PII) at rest within the cloud environment.
- **Monitoring:** Implement anomaly detection to alert on bulk data exports or access from unrecognized geographic locations.