Pitney Bowes — Salesforce CRM phishing breach, ShinyHunters dump

On 28 April 2026 The Register reported that mailing-, shipping- and document-services provider Pitney Bowes had confirmed unauthorised access to records inside its Salesforce customer-relationship-management environment. Pitney Bowes told The Register the intrusion occurred on the night of 8 April and “resulted from a phishing attack that compromised an employee email account.” The compromised email account was the foothold; Salesforce was the target.

The day before The Register’s report, Have I Been Pwned listed the dataset and recorded 8,243,989 unique email addresses, alongside names, phone numbers and physical addresses. ShinyHunters had previously listed Pitney Bowes on its extortion portal as part of a broader spree, and after the company declined to negotiate, the attackers published the full dataset openly.

The Pitney Bowes incident sits inside the wider ShinyHunters Salesforce-linked campaign already in this index via Salesloft/Drift. The same actor cluster has, across April 2026, dumped data from Medtronic, Carnival, Mytheresa, Zara, 7-Eleven, Udemy, Canada Life and around forty other organisations, all routed through Salesforce CRM environments downstream of the August 2025 Drift OAuth-token theft. The Pitney Bowes intrusion vector — a phishing-compromised employee email leading to CRM data theft — fits that pattern rather than indicating a separate campaign.

A deep-dive will follow once the full record taxonomy, regulator disclosures, customer-notification scope, and any independent corroboration of ShinyHunters’s claimed record count are publicly documented.