A Familiar Name, A Familiar Gang
If you have ever booked a train ticket online, reserved a seat on Amtrak’s app, or reached out to Amtrak’s customer support, your personal information may now be in the hands of cybercriminals.
In mid-April 2026, the notorious hacking group ShinyHunters added America’s national passenger railroad to their growing list of victims, claiming to have stolen millions of records and threatening to publish them publicly unless a ransom was paid. When Amtrak did not pay, the hackers followed through on their threat and dumped the data online.¹
This is not a small breach, and ShinyHunters is not a small-time operation. They are one of the most active and destructive cybercriminal groups operating today, and the way they got into Amtrak’s systems is a cautionary tale worth understanding.
What Was Stolen
ShinyHunters claimed to have obtained 9.4 million Amtrak records via Salesforce, the widely used business software platform, threatening a public data leak without ransom payment. When Amtrak did not meet their demands, the group made good on the threat and published the stolen data publicly.
The breach is now officially confirmed and catalogued. Have I Been Pwned, the widely trusted breach notification service operated by security researcher Troy Hunt, has added the Amtrak breach to its database. The published dataset contained over 2.1 million unique email addresses along with names, physical addresses, and customer support records. Have I Been Pwned is the gold standard for breach verification — if it is in their database, the data is real and the exposure is confirmed.
The discrepancy between the 9.4 million records claimed by ShinyHunters and the 2.1 million unique records confirmed by Have I Been Pwned likely reflects duplicate entries or multiple records tied to the same individuals, a common pattern in Salesforce-related leaks. Notably, approximately 80% of the exposed data had already appeared in previous breaches, meaning many of the affected individuals have been through this kind of exposure before.
How They Got In: Social Engineering
Understanding how ShinyHunters penetrated Amtrak’s systems is important, because the method they used is not unique to this attack. They will use it again.
The hackers reportedly obtained unauthorized access via Salesforce. The gang has previously targeted Salesforce employees via social engineering attacks, allowing them to obtain the access credentials of different companies using the Salesforce platform.
Social engineering is not hacking in the traditional sense. There is no magic code cracking through walls of firewall protection. Instead, the attackers manipulate real human employees into handing over login credentials, often through convincing fake emails, phone calls posing as IT support, or fraudulent password reset requests. Once they had a Salesforce employee’s credentials, ShinyHunters had the keys to data belonging to every company using that employee’s system.
This is the same group that used nearly identical tactics earlier in 2026 against a remarkable list of major organizations. ShinyHunters is linked to data leaks at Cisco, Hallmark, Rockstar Games, and investment advisory firms Mercer Advisors and Beacon Pointe Advisors in 2026 alone.
Should You Be Worried?
If you have ever used Amtrak’s website, app, or customer support, the honest answer is: possibly yes. The compromised data includes names, email addresses, physical addresses, and support ticket records. While payment card data was not confirmed as part of this leak, the combination of personal details that was exposed is more than enough for criminals to attempt targeted phishing attacks, identity fraud, or account takeovers on other platforms where you use the same email address.
Cybernews researchers noted that when personally identifiable information is involved, there is always a chance of social engineering attacks. The impact depends on whether the data belongs to employees or customers, and in Amtrak’s case it could be either, since Amtrak sells train tickets.
What You Should Do Right Now
Check if your email was exposed. Visit haveibeenpwned.com/Breach/Amtrak right now and enter your email address. The Amtrak breach is confirmed in their database, so you will get an immediate answer on whether your information was part of the leak. This is a free service and takes less than thirty seconds.
Watch for phishing emails. Criminals who now have your name and email address may send convincing fake messages appearing to come from Amtrak, travel agencies, or even your bank, using your real name and referencing your travel history to make the scam seem legitimate. Do not click links in unsolicited emails. Navigate directly to any website by typing the address in your browser.
Change your Amtrak password. If you have an Amtrak account, change your password now and make sure it is unique to that account. If you reuse that password anywhere else, change it on every site where it appears.
Enable two-factor authentication. Wherever possible, turn on two-factor authentication for your online accounts, particularly email and banking. As Dr. Tom covered in an earlier column on this topic, two-factor authentication is one of the most effective defenses against account takeovers even when your password has been compromised.
Monitor your accounts and credit. Keep an eye on bank and credit card statements for any unusual activity. If you are concerned about identity theft, consider placing a free credit freeze with the three major credit bureaus: Equifax, Experian, and TransUnion.
The Amtrak breach is a reminder that your personal data is not just at risk from the companies you do business with directly. It is also at risk from every software platform those companies use behind the scenes. One successful social engineering attack on a single Salesforce employee rippled outward to expose millions of ordinary Americans who simply booked a train ticket.
Stay safe out there, and I will see you next week!
Feeling lost in the digital world? Dr. Tom is here to help!
References
- Cybernews. “Hackers Threaten to Leak Over 9M Amtrak Records, Including Personal Info.” April 2026. https://cybernews.com/security/hackers-threaten-amtrak-data-leak/
- Have I Been Pwned. “Amtrak Data Breach.” April 17, 2026. https://haveibeenpwned.com/Breach/Amtrak
- SC Media. “Amtrak Allegedly Breached by ShinyHunters, Massive Data Leak Threatened.” April 2026. https://www.scworld.com/brief/amtrak-allegedly-breached-by-shinyhunters-massive-data-leak-threatened
- Cyber Insider. “Amtrak Data Breach Exposed Information of 2.1 Million Accounts.” April 17, 2026. https://cyberinsider.com/amtrak-data-breach-exposed-information-of-2-1-million-accounts/
Sign up for our Sunday Spectator. Delivered to your inbox every Sunday, with all the news from the week.
