Home > Security > Security News

Hallmark Data Breach Exposes 1.7 Million Customers via Salesforce Compromise, Including Hallmark+ Records

Published
Written by:
Lore Apostol
Lore Apostol
Cybersecurity Writer
Salesforce
Summarize with:
ChatGPT logo ChatGPT Claude.ai logo Claude.ai Google AI logo Google AI Grok logo Grok Perplexity logo Perplexity
Google logo Add as preferred source on Google
Key Takeaways
  • Data exposure: The March 2026 Hallmark data breach compromised 1.7 million unique email addresses and associated personal identifiers through a Salesforce attack.
  • Extortion: Threat actors published exfiltrated datasets after the established ransom demands expired, including support ticket information.
  • Multi-platform impact: The compromised dataset encompasses customer records from both Hallmark and the Hallmark+ streaming platform.

A Hallmark data breach in March 2026 exposed 1.7 million customer records after ShinyHunters exfiltrated and published user datasets obtained by compromising the organization's Salesforce cloud infrastructure. 

The set of unique email addresses from both Hallmark and the Hallmark+ streaming service was added to the Have I Been Pwned (HIBP) breach intelligence platform on April 12, 2026. The data was leaked after the extortion demands expired. 

Salesforce Compromise

ShinyHunters exploited the organization's Salesforce environment to extract comprehensive customer databases from Hallmark Cards, Inc., and Hallmark+ streaming service subscribers. Initially, the ransomware group threatened to release nearly 8 million records of PII and private corporate data.

ShinyHunters | Source: Dominic Alvieri on X
ShinyHunters | Source: Dominic Alvieri on X

The HIBP datasets contain critical personally identifiable information (PII), such as:

Risk Assessment

Given the shared infrastructure between Hallmark+ streaming services and primary retail network operations, affected users face heightened exposure to advanced persistent threat vectors. Standard best practices recommend that users change their passwords. 

Early this month, an alleged Cisco breach was linked to the Trivy supply chain compromise, with ShinyHunters claiming to have obtained 3 million Salesforce records. In March, ShinyHunters claimed a data compromise involving Snowflake, Okta, Sony, AMD, LastPass, and Salesforce via a massive Salesforce breach. 

ShinyHunters claimed the Salesforce data breach via third-party Gainsight, announcing “almost 1,000” victims. A February Mandiant report outlined the group’s extortion tactics, vishing, and SSO compromise of target cloud environments.

Add a Comment
Related
Canis C2 Surveillance Framework Exposed API Discovered Targeting Japan
Main Suspect in €6 Million Swedish Bank Scam with At Least 25 Victims Extradited from the US to Sweden
8 Tech Giants' CSAM Reporting Deficiencies Investigated Following NCMEC Documented Findings
Cyber Job Moves: New Hires, Role Shifts, and Leadership Changes Across Cyber
Top Cybersecurity News of the Week: Impersonation, Vulnerabilities, and AI Rewire The Cyber Playbook as Governments and Industry Respond
NHS Scotland Domain Breached to Host Adult Content and Illegal Sports Streams, Exposing Infrastructure Vulnerabilities
Most Popular
NordVPN UI changes remove P2P category in latest update
NordVPN Removes Dedicated P2P Servers, Confirms Support Shift
Canis C2 Surveillance Framework Exposed API Discovered Targeting Japan
Main Suspect in €6 Million Swedish Bank Scam with At Least 25 Victims Extradited from the US to Sweden
8 Tech Giants' CSAM Reporting Deficiencies Investigated Following NCMEC Documented Findings
Cyber Job Moves: New Hires, Role Shifts, and Leadership Changes Across Cyber
Top Cybersecurity News of the Week: Impersonation, Vulnerabilities, and AI Rewire The Cyber Playbook as Governments and Industry Respond
NordVPN Removes Dedicated P2P Servers, Confirms Support Shift
Canis C2 Surveillance Framework Exposed API Discovered Targeting Japan
Main Suspect in €6 Million Swedish Bank Scam with At Least 25 Victims Extradited from the US to Sweden
8 Tech Giants' CSAM Reporting Deficiencies Investigated Following NCMEC Documented Findings
Cyber Job Moves: New Hires, Role Shifts, and Leadership Changes Across Cyber
Top Cybersecurity News of the Week: Impersonation, Vulnerabilities, and AI Rewire The Cyber Playbook as Governments and Industry Respond

Most Popular
NordVPN UI changes remove P2P category in latest update
NordVPN Removes Dedicated P2P Servers, Confirms Support Shift
Canis C2 Surveillance Framework Exposed API Discovered Targeting Japan
Main Suspect in €6 Million Swedish Bank Scam with At Least 25 Victims Extradited from the US to Sweden
8 Tech Giants' CSAM Reporting Deficiencies Investigated Following NCMEC Documented Findings
Cyber Job Moves: New Hires, Role Shifts, and Leadership Changes Across Cyber
Top Cybersecurity News of the Week: Impersonation, Vulnerabilities, and AI Rewire The Cyber Playbook as Governments and Industry Respond
NordVPN Removes Dedicated P2P Servers, Confirms Support Shift
Canis C2 Surveillance Framework Exposed API Discovered Targeting Japan
Main Suspect in €6 Million Swedish Bank Scam with At Least 25 Victims Extradited from the US to Sweden
8 Tech Giants' CSAM Reporting Deficiencies Investigated Following NCMEC Documented Findings
Cyber Job Moves: New Hires, Role Shifts, and Leadership Changes Across Cyber
Top Cybersecurity News of the Week: Impersonation, Vulnerabilities, and AI Rewire The Cyber Playbook as Governments and Industry Respond

TechNadu keeps you informed with the latest in cybersecurity, VPNs, and technology. From expert guides to in-depth reviews, we provide the knowledge you need to stay secure and connected in the digital world.

© 2026 TechNadu. All Rights Reserved. TechNadu is a part of Leaprove Media LLP.

Close lightbox
Facebook
Twitter
Linkedin
Reddit
Email
Copy Link
For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: