Kemper Corporation Exposes Approximately 270,000 Accounts Following ShinyHunters Breach Claim
Published
Key Takeaways
- Data Compromised: The Kemper Corporation data breach exposed nearly 270,000 unique email addresses and associated details.
- Extortion Campaign: ShinyHunters targeted Kemper Corporation in an April 2026 "pay or leak" ransomware operation.
- Sensitive Data Published: The threat actors ultimately leaked massive datasets, including PII and partial payment card information.
The American insurance holding company Kemper Corporation was explicitly named by the ShinyHunters ransomware group in a severe "pay or leak" extortion campaign in April 2026. The breach notification service Have I Been Pwned (HIBP) added 269.300 unique email addresses to its database on May 28, 2026.
Social Engineering and Data Exfiltration
Following the initial extortion demands, ShinyHunters said it holds at least 29GB of exfiltrated data and over 13 million Kemper records from the company’s Salesforce account. The threat actors claimed this massive dump included internal directory data, comprehensive Salesforce records, and sensitive Stripe payment logs.
The compromised data categories identified in this breach include:
- Email addresses
- Names
- Partial credit card data (specifically the last four digits, expiry dates, and card brands)
- Phone numbers
- Physical addresses
- Purchases
The threat actors allegedly bypassed access controls to compromise Kemper's Salesforce environment through social engineering tactics as part of a broader campaign targeting hundreds of organizations with the same access vector.
Incident Response and Remediation
In response to the data breach, Kemper Corporation officially confirmed the cybersecurity incident. To mitigate the ongoing threat and secure their network perimeter, the organization engaged third-party cybersecurity experts and notified appropriate law enforcement agencies.
Last month, the threat actor said it used the Trivy supply chain compromise to infiltrate Cisco, asserting it gained access to over 3 million Salesforce records containing personally identifiable information (PII), GitHub repositories, AWS buckets, and other private corporate data.
In March, ShinyHunters claimed to have compromised data from Snowflake, Okta, Sony, AMD, Lastpass, and Salesforce via a massive Salesforce intrusion.
In November 2025, ShinyHunters said it stole Salesforce data by infiltrating third-party Gainsight and announced “almost 1,000” victims. Around the same time, the hacking collective Scattered LAPSUS$ Hunters emerged as the new Extortion-as-a-Service cybercriminal alliance.
Among other recent ShinyHunters breaches leveraging the Salesforce incident are the Ameriprise Financial data breach exposing over 502,000 accounts nd the Hallmark data breach exposing 1.7 million customers.
In other news, Carnival Corp recently announced that its April data breach was due to social engineering, following ShinyHunters' claim that it had stolen 8.7 million records from the global cruise operator.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular