Abrigo - 711,099 Accounts Breached
- May 14
- 2 min read
Key Findings
ShinyHunters group conducted "pay or leak" extortion campaigns against at least two major companies in April 2026
Abrigo suffered a breach exposing 711,099 records from its Salesforce instance, containing business contact information
Canada Life experienced a separate incident resulting in 237,810 breached records including customer personal data
Both breaches involved similar extortion tactics followed by public data release when demands were not met
Combined incidents exposed nearly one million records across financial services and fintech sectors
Background
ShinyHunters emerged as a significant threat actor in 2026, running coordinated extortion campaigns against multiple organizations. The group's modus operandi involves accessing sensitive data, typically through cloud application vulnerabilities or compromised credentials, then demanding payment with threats to publicly release the information. When targets refuse or fail to pay, ShinyHunters follows through on their threats by publishing the stolen data.
Abrigo Incident
Abrigo, a fintech software company serving financial institutions, fell victim to ShinyHunters in April 2026 when the group gained unauthorized access to their Salesforce instance. The attackers exfiltrated over 711,000 records containing business contact information including institution names, employee names, email addresses, and phone numbers. After the initial extortion demand was not met, ShinyHunters publicly released the dataset. Notably, this breach occurred separately from a previous year's Salesforce compromise at Abrigo involving the Drift application connector, though the data types compromised were consistent between both incidents.
Canada Life Incident
Canada Life, a major insurance and financial services provider, was targeted by the same ShinyHunters group in the same timeframe. The breach exposed over 237,000 unique email addresses alongside names, phone numbers, and physical addresses. Some customer support tickets were also included in the leaked data. Canada Life's official disclosure indicated that only a small proportion of their customer base was affected, though the exact scope remains unclear. Following the public release of data, Canada Life issued alerts warning customers about increased phishing risks, a common secondary threat that materializes after breached data enters the public domain.
Sources
https://haveibeenpwned.com/Breach/Abrigo
https://haveibeenpwned.com/Breach/CanadaLife

Comments