Light bulb Limited Spots Available: Secure Your Lifetime Subscription on Gumroad!

May 04, 2026 · 8 min read

ShinyHunters Just Leaked Every Email You Ever Sent Hallmark Support—And the 1.7 Million Records Came With Phone Numbers and Mailing Addresses

ShinyHunters set an April 2 deadline. Hallmark let it pass. On April 12, 2026 a 9.59 gigabyte database carved out of Hallmark's Salesforce environment landed on a dark web forum—1.7 million unique customer accounts with names, emails, phone numbers, mailing addresses, and the part that should worry every Hallmark customer most: the full text of every customer support ticket they ever filed.

Stack of pastel greeting card envelopes on a wooden desk, one envelope partially open exposing a faint blue digital data pattern, suggesting personal correspondence converted into leaked data

The Two Step Extortion Hallmark Lost

The intrusion happened on March 9, 2026, when ShinyHunters got into a Salesforce environment shared by Hallmark Cards and the Hallmark Plus loyalty program. According to Salesforce Ben's reporting, the group claimed it had pulled "just under 8 million" Salesforce records. They posted a public ransom note on March 31 with a final warning: respond by April 2, 2026 or watch the data hit the forums "along with several annoying (digital) problems."

Hallmark didn't respond. Salesforce, asked publicly whether its platform was at fault, told Salesforce Ben: "We have no indication at this time that this issue was caused by any vulnerability in our platform." That single line is doing significant work. The breach didn't come from Salesforce's code. It came from the surrounding ecosystem—the OAuth tokens, the SSO logins, the integrations like Salesloft Drift that feed Salesforce instances and have been the vector behind 760 corporate Salesforce thefts since August 2025.

When the deadline passed, ShinyHunters did exactly what they said they would. The 9.59 GB dump went up. Researchers checking the file have so far confirmed 1.7 million unique customer accounts, suggesting the original "8 million records" headline was inflated by duplicates, internal logs, and system metadata.

What's in the 9.59 GB Database

Per researchers who have analyzed the leak, the customer dataset contains:

  • Email addresses—both consumer and corporate accounts
  • Full names tied to those addresses
  • Phone numbers
  • Physical mailing addresses
  • Hallmark Plus loyalty membership data, including history
  • Customer support tickets—the complete contents
  • Internal Hallmark employee data: names, departments, business hours

The first six bullets are the standard breach payload. The seventh is what makes this dump unusually dangerous, and it's the one almost no coverage is leading with.

Customer Support Tickets Are the Phishing Goldmine

A typical breach gives attackers a list. They have your email, your name, maybe your address. To phish you, they need to invent a plausible reason you'd click—"your Amazon shipment is delayed," "your Netflix payment failed," generic stuff that has to fit a million inboxes at once.

A customer support ticket gives attackers a script. They know that you actually contacted Hallmark on a specific date, about a specific order, with a specific complaint. They know what response you got. They know whether the issue was resolved. They can write a follow up email that picks up exactly where the real conversation ended.

"Hi [your real first name], this is Jessica from Hallmark Customer Care. I'm following up on your ticket from [real date] about the [real order] you reported as [real issue]. We've issued you a partial refund—please confirm your payment information at [phishing URL]." This isn't theoretical. It's the same pattern of "BPO context theft" that turned the Crunchyroll TELUS breach and the Adobe Mr. Raccoon support ticket leak into ongoing phishing campaigns weeks after each leak.

The economic difference is enormous. A spray phishing campaign converts at well below 1 percent. A context aware phishing campaign with a verifiable real ticket as the hook routinely converts at 5 to 15 percent. Hallmark just handed 1.7 million scripts to whoever bought the file.

This Is the Same Salesforce Campaign That Has Been Running for Eight Months

Hallmark is the latest casualty in a continuous ShinyHunters operation that has been chewing through Salesforce customer instances since August 2025. The pattern is well documented at this point:

  • August 2025—Salesloft Drift: ShinyHunters stole OAuth tokens from the Drift AI chat agent's Salesforce integration and used them to lift roughly 1.5 billion records across 760 customer organizations.
  • September 2025 to early 2026—Experience Cloud (Aura): The group exploited misconfigured guest user access in Salesforce's Experience Cloud, hitting 300 to 400 organizations.
  • January 2026—Vishing campaign (UNC6661): Voice phishing operators called employees at targeted firms pretending to be IT, harvested SSO credentials, and used them to register their own MFA devices. Canada Life, Carnival's Mariner Society, and ADT all fell to the same playbook.
  • March 2026—Hallmark: Same group, same general approach, public extortion, public deadline, public dump.

Whether Hallmark fell to OAuth token theft, vishing, or a Drift style supply chain compromise has not been publicly confirmed. What is clear is that the broader campaign is still ongoing, the methods are working, and the Salesforce ecosystem—not Salesforce's core platform, but the permission grants and integrations layered on top of it—is the recurring weak point.

What Hallmark Customers Should Do

The breach window is March 9, 2026 backwards. If you've ever bought a card, signed up for Hallmark Plus, or contacted Hallmark customer service, treat your data as exposed.

  1. Treat any "Hallmark" email arriving over the next six months as a phishing lure first. Never click links in those emails. Type the URL directly if you actually need to log in.
  2. Watch for hyper personalized scams that reference real past tickets. If an email mentions a specific complaint or order, that doesn't make it real—the leak contains the historical ticket text. Verify by phoning Hallmark's published customer service number.
  3. Beware of phone calls. The same data set gives scammers your phone number plus the script to use. A "Hallmark refund team" caller who knows your real complaint is not real—Hallmark won't call you about an issue from 2024.
  4. Set up email aliasing for new signups going forward. Apple Hide My Email, Firefox Relay, or DuckDuckGo Email Protection isolate which retailer breached your address when the next dump lands.

The Real Story Is What's in the Tickets

It's tempting to file Hallmark next to the dozens of other ShinyHunters Salesforce victims and move on. The number—1.7 million—is unimpressive next to Carnival's 7.5 million or Canada Life's 5.6 million. The customer base skews older and less online than the typical breach demographic.

But the support ticket trove is what should pull this one out of the noise. Customer service interactions are some of the most candid pieces of writing people produce online—people complain, share grievances, mention family, attach photos of broken products, give context they would never put in a Twitter post. That corpus, attached to verified contact details, is the highest quality input for AI assisted phishing campaigns of any leak this year. The 159,378 unique deepfake scams Gen Threat Labs counted in Q4 2025 alone are about to find a brand new training set.

Hallmark's customers will not be the ones who suffer most from the breach. The phishing crews now sitting on a 9.59 GB ledger of grievances and contact details will be the ones who profit. The customers will just absorb the consequences.

Stop Email Tracking in Gmail

Spy pixels track when you open emails, where you are, and what device you use. Gblock blocks them automatically.

Try Gblock Free for 30 Days

No credit card required. Works with Chrome, Edge, Brave, and Arc.