Amtrak Breach: 2.1M Emails, Names & Addresses Exposed (2026)

Overview

In April 2026, the notorious hacking group ShinyHunters claimed responsibility for breaching Amtrak’s systems. The group’s typical method involves compromising Salesforce instances used by organizations, demanding a ransom, and then publicly dumping the stolen data if payment is not made. As reported in the Amtrak Ransomware Claim by ShinyHunters (April 2026), the group followed this pattern, releasing a dataset containing over 2.1 million unique customer records.

What Was Exposed

The published data includes several types of personally identifiable information (PII). The primary data points are:

• Email Addresses: Over 2.1 million unique email addresses.
• Full Names: The names associated with the email accounts.
• Physical Addresses: The home or mailing addresses of affected customers.
• Customer Support Records: Additional details from support interactions, which could contain other sensitive information shared during communications.

Potential Impact

The exposure of this combination of data significantly increases the risk for affected individuals. With a name, email, and physical address, cybercriminals can launch highly targeted phishing campaigns, impersonate Amtrak or other trusted entities, and attempt credential stuffing attacks on other accounts. The physical address data elevates the risk of targeted physical fraud, such as fake debt collection letters or other mail-based scams. This breach provides criminals with the foundational information needed for identity theft and sophisticated social engineering.

Recommendations

If you have an Amtrak account or have used their services, take these steps immediately:

1. Change Your Amtrak Password: Immediately update your password on Amtrak.com. Use a strong, unique password that you do not use anywhere else.
2. Enable Multi-Factor Authentication (MFA): If Amtrak offers MFA (also called two-factor authentication), enable it. This adds a critical layer of security beyond just a password.
3. Beware of Targeted Phishing: Be extremely cautious of emails claiming to be from Amtrak, travel agencies, or financial institutions. Do not click on links or open attachments in unsolicited messages. Verify communications by contacting the company directly through official channels.
4. Monitor Financial Statements: While payment data was not listed in this leak, remain vigilant for any unauthorized transactions.

How to Check If You’re Affected

This breach has been reported to and verified by the free service Have I Been Pwned. You can check if your email address was included in this breach by visiting: https://haveibeenpwned.com/Breach/Amtrak. Simply enter your email address to see if it was compromised.

Security Insight

This breach highlights the critical risk posed by third-party SaaS platforms like Salesforce, which, when compromised, can become a single point of failure for customer data. The ShinyHunters group’s repeated success with this tactic, as seen in other cybersecurity news, suggests many organizations may not be adequately securing their cloud-based customer relationship management systems. It underscores that a company’s security is only as strong as the weakest link in its extended digital ecosystem, including all integrated third-party services.

Further Reading

• Amtrak Ransomware Claim by ShinyHunters (April 2026)
• All High Breaches
• Recent Data Breaches