Amtrak data breach enters HIBP after leak claim

The Amtrak data breach is drawing renewed attention. A new entry in the Have I Been Pwned database followed the public leak claim. ShinyHunters said it had accessed Amtrak’s systems. It also claimed to have taken millions of customer records. This is reported by the railway transport news portal Railway Supply.

How the Amtrak data breach reached HIBP?

The allegation surfaced days earlier. ShinyHunters said it had obtained “over 9.4 million Salesforce records containing PII and other internal corporate data” from Amtrak, as reported by CyberInsider. The group has previously been linked to attacks on Salesforce environments. It has also been linked to efforts to pressure victims into negotiations before stolen information is published. In this case, it said talks with the company collapsed. The data was then released.

Don’t miss…Alstom’s Depot Dash takes passengers into depots

Troy Hunt later added the incident to the breach notification service, according to Have I Been Pwned. He did so after downloading and reviewing the leaked material. The HIBP listing says the exposed dataset includes about 2.1 million unique email addresses. It also lists names, street addresses, and customer support ticket data. Still, several validation checks suggest the material is authentic. HIBP also says its appearance there should not be treated as official confirmation by Amtrak. In other words, the HIBP entry followed the public leak claim. It did not amount to confirmation from Amtrak.

What the exposed records may contain?

Formally named the National Railroad Passenger Corporation, Amtrak is the main provider of intercity passenger rail travel in the United States. According to Amtrak’s FY 2024 company profile, it serves more than 30 million customers each year through a national network. The company operates a mix of long-distance, regional, and high-speed rail services. That makes it a significant holder of customer travel and support data.

ShinyHunters cited 9.4 million records. HIBP identified 2.1 million unique email addresses. The gap likely reflects duplicate entries. It may also reflect multiple records linked to the same individuals. That is a common pattern in Salesforce-related data leaks. Also, HIBP said roughly 80% of the exposed information had already appeared in earlier breaches.

Phishing and social engineering risks after the leak

ShinyHunters is known for intrusions involving cloud CRM systems, especially Salesforce. The group is often described as relying on weaknesses such as misconfigurations, compromised credentials, or third-party integrations to gain entry. Once access is obtained, customer databases and internal records are typically extracted. Ransom negotiations then begin. If no agreement is reached, the data is then posted on leak sites or underground forums.

Meanwhile, Amtrak had not publicly acknowledged the incident. At the time of writing, it also had not verified that the leaked data was genuine.

The exposed information may create opportunities for targeted phishing or social engineering attempts. In addition, users should remain cautious about unsolicited messages. That is especially true when those messages mention travel details or customer support interactions. They should also avoid clicking links or downloading attachments from unfamiliar sources.

News on railway transport, industry, and railway technologies from Railway Supply that you might have missed: