The National Railroad Passenger Corporation, better known as Amtrak, has been claimed by the prolific hacking group ShinyHunters. The attackers are threatening to leak millions of records if America’s national passenger railroad company refuses to pay a ransom.

Amtrak’s name recently appeared on ShinyHuners’ dark web blog, where the attackers claimed they had obtained 9.4 million of the company’s records via Salesforce. Earlier this year, the hacker group obtained access via social engineering attacks against the victim company’s employees.

“Over 9.4M Salesforce records containing PII and other internal corporate data have been compromised. Pay or leak,” the attackers wrote on their blog.

ShinyHunters threaten to leak the railroad company’s data on April 14th, with the only way to stop the data leak being a ransom payment. So far, the attackers have not provided any data samples, making it impossible to either verify their claims or investigate the types of data they may have accessed.

Hacker groups often threaten victims before releasing data samples. ShinyHunters has followed a similar script since the gang started posting organizations impacted by the Salesforce attacks.

Data leaks that involve personally identifiable information (PII) often increase cybersecurity risks for individuals involved. For one, attackers can later exploit leaked details for identity theft or phishing attacks.

The Cybernews community is talking about this. Be a part of the conversation.

“When PII is involved, there's always a chance of social engineering attacks. The impact depends whether the data in question belongs to the company employees or customers. In Amtrak's case it could be either, since Amtrak sells train tickets,” the Cybernews research team explained.

Meanwhile, corporate data leaks can help cybercriminals plan future attacks. Threat actors often look for ways to penetrate corporate systems without being noticed, and any insight into how organizations operate provides new avenues for attack.

Corporate data in this context could mean anything from internal employee training documents to financial records. Corporate details can reveal business partnership details, and other sensitive data,” the team said.

Amtrak is America’s primary passenger railroad company, operating intercity rail service in the country. With over 22,000 employees, Amtrak reported over $2.7 ticket revenue last year.

We have reached out to Amtrak for comment and will update this article once we receive a reply.

Why are ShinyHunters behind so many attacks?

ShinyHunters has dominated cybersecurity headlines in 2026. After successfully obtaining credentials to Salesforce environment from victim company employees, the hacking group managed to access records of hundreds of companies.

Businesses and organizations often use Salesforce for customer service, marketing automation, analytics, and other services. What type of data ShinyHunters accessed depends on how its clients were using the platform.

Earlier this week, cybercrooks dumped a large dataset, supposedly taken from Rockstar Games, the company behind one of the most successful video games in history, Grand Theft Auto.

​​The gang is also behind an attack on Cisco Systems, the greeting cards and social expression products maker Hallmark, and US investment advisory firms Mercer Advisors and Beacon Pointe Advisors.

Updated on April 16th [08:15 a.m. GMT] to reflect the accurate flow of the Salesforce attack chain.

---

Unlock more exclusive Cybernews content on YouTube.