Pitney Bowes Just Confirmed a Single Phished Email Cost Them 8.2 Million Customer Records—ShinyHunters Got In on April 8 and Sold the Data When Negotiations Failed

The Forty-Eight Hour Breach

On the evening of April 8, an employee at Pitney Bowes—the company that has been making postage meters and shipping software since 1920—opened an email that should not have gotten through. The next morning, the security team noticed unauthorized access in the company's Salesforce environment. According to Pitney Bowes' own statement: "The access occurred the previous evening and resulted from a phishing attack that compromised an employee's email account."

By the time the company secured the environment and revoked the compromised credentials, the attacker—soon identified as the cybercrime crew ShinyHunters—had already pulled what they later claimed was 25 million records from the Salesforce CRM. Have I Been Pwned, which received the leaked dataset for verification, confirmed 8.2 million unique email addresses, accompanied by names, phone numbers, physical addresses, and employment records including job titles.

Pitney Bowes' position is that the data was confined to the Salesforce environment, that no internal systems were touched, and that "no sensitive personal data was accessed." The position depends on how one defines "sensitive." A directory of 8.2 million decision makers—name, work email, work phone, address, role—is exactly the kind of fuel that powers the next wave of business email compromise attacks against the customers whose data was just leaked.

The Negotiation Window That Closed in Late April

ShinyHunters did not publish the data immediately. The crew operates on a now familiar timeline: breach the environment, exfiltrate the dataset, contact the victim with a private ransom demand, give them a window to pay, and only publish if the window closes. For Pitney Bowes, that window closed sometime in late April. On April 19, ShinyHunters added Pitney Bowes to the public victim listing on their extortion portal. By late April, the company appeared on Have I Been Pwned's confirmation page with the 8.2 million addresses, which means the full leak had already gone live somewhere public enough to reach Troy Hunt's processing pipeline.

The company has not disclosed the ransom amount it was offered. ShinyHunters' historical pattern is to demand seven figures for datasets of this size—around $1 million to $5 million for a clean Salesforce dump—and to discount aggressively in the final 24 hours before publication. The math the victim runs at that point is whether the dataset, once public, costs more in incident response, customer notification, class actions, and breach related churn than the ransom does. Pitney Bowes did not pay.

Why "Salesforce Breach" Keeps Meaning "Email Breach"

This is the eighth confirmed Salesforce data theft attributed to ShinyHunters in the last twelve months. The victim list includes Cushman & Wakefield's 50GB of voice phished Salesforce records, the Canada Life 12 million record incident, Hallmark's 1.7 million customer records, and CarGurus' 12 million records—and several others that are not yet public. The pattern is consistent: a single employee credential gets phished, the attacker logs into the customer's Salesforce tenant from a connected app or directly through the web interface, and the entire CRM export goes out the door in a single API session.

Some of those breaches came through voice phishing—calls from someone impersonating IT support, asking the employee to read out a multi factor code. Pitney Bowes is on the email phishing side of the same playbook. The end state is identical. Once the attacker has the credential and the second factor, the Salesforce tenant trusts the session and exports a 25 million row CSV as fast as the platform will allow.

The lateral move from "compromised employee mailbox" to "exported customer database" is the recurring theme of 2026. The employee mailbox is the highest leverage credential in any organization. It receives password reset confirmations, multi factor codes, SSO challenge approvals, and notifications from every internal system the employee touches. Owning it once means owning everything downstream until somebody notices.

What 8.2 Million Names and Work Emails Become Next

An exposed dataset of business contacts is not a static disclosure event. It is an active raw input into the next campaign. The dataset Pitney Bowes lost contains the role of each contact, which is the single most valuable field for crafting a targeted phishing email. With a job title like "Finance Manager" or "AP Specialist," an attacker can:

• Send a believable invoice phishing email purporting to come from Pitney Bowes itself, citing real account numbers and contact details that the recipient knows are accurate.
• Run business email compromise (BEC) attacks that impersonate the recipient's actual vendor relationships, since the leaked record confirms Pitney Bowes is on the vendor list.
• Stitch the dataset into existing infostealer dumps to enrich credential stuffing campaigns with role context, raising the success rate by an order of magnitude.
• Build a target list for vishing campaigns against the 8.2 million phone numbers, with social-engineering scripts pre-loaded with each contact's role and company.

This is why the "no sensitive personal data" framing matters so much to Pitney Bowes and so little to the 8.2 million people in the file. The downstream attack surface is the same whether the breached record contains a Social Security number or not. The contact data alone is the attack.

The ShinyHunters Pattern Is Becoming the Standard Operating Procedure

ShinyHunters has been operating since at least 2020, and their early breaches were database dumps from misconfigured cloud buckets. The 2025-2026 evolution is a shift to SaaS-platform extortion, particularly Salesforce, where the playbook has scaled to "several hundred" victim organizations according to the group's own claims. The crew works alongside other crews—the Salesloft Drift compromise of 2025 was attributed to overlapping activity—and shares infrastructure with the Scattered Spider cluster.

The economic logic is straightforward. A single phished email account from a midsize Salesforce customer can yield a dataset worth $1 million to $5 million on the extortion market. The phishing operation itself costs less than $100 in infrastructure. The attacker does not need a zero day. They do not need a supply chain compromise. They need one employee to click one link in one email, on one day, and the rest of the kill chain follows from there. The asymmetry favors the attacker by something like five orders of magnitude.

What You Do If You Are in the 8.2 Million

If you have ever been a customer of Pitney Bowes for shipping software, postage meter leasing, mailing services, or logistics, your work email and role are likely in the leaked dataset. Check Have I Been Pwned. Pitney Bowes also confirmed they sent direct notification to affected customers, which means a real notification email should already have arrived. The catch is that an attacker armed with the same dataset can send a fake notification email that looks identical—Pitney Bowes letterhead, the recipient's correct name and role, the breach disclosed accurately—and route the recipient to a credential harvesting page.

Three concrete steps reduce exposure for the next few months:

• Treat any "Pitney Bowes" email as suspect until you verify the sender header. Look at the Return-Path and Authentication-Results lines; legitimate transactional mail from Pitney Bowes will pass DMARC alignment against pitneybowes.com.
• Rotate the password on any account you set up using your Pitney Bowes-linked work email—especially if you reused that password anywhere.
• Watch the inbox for invoice and accounts payable mail. Anyone in finance at an organization with a Pitney Bowes account is a high priority target for invoice substitution attacks for the next 90 days.

The Inbox Is the Front Door

Every breach in this category—Pitney Bowes, Cushman & Wakefield, Canada Life, Hallmark, CarGurus, and the dozens of organizations that have not yet been named—has the same first event. An email arrived, an employee clicked, and a credential left the building. Defending the inbox is the highest leverage thing any organization can do, and it is also the place where most defenses are weakest.

The tools that actually slow these attacks are not exotic. Phishing resistant multi factor (hardware keys, passkeys), training programs that focus on the specific lure types attackers actually use, sender authentication enforcement (DMARC at reject), and behavioral monitoring of mailbox auto forwarding rules each remove a step from the kill chain. Pitney Bowes had at least some of these in place. The crew got through anyway, because that is what happens when one attacker has unlimited attempts and the defender has to be right every time.

The next breach of this shape is already in motion at some other Salesforce customer. The phishing email is in the queue right now. The interesting question is not whether it lands; it is which employee opens it first.