Hackers leak and sell Hallmark stolen data weeks after ransom ultimatum

Published: 14 April 2026
Hallmark

Data allegedly stolen from Hallmark Cards, Inc. is already circulating across cybercrime forums, just weeks after a ransomware group threatened to release millions of records tied to the company.

At the beginning of April, ShinyHunters, a prolific cybergang, threatened Hallmark Cards, Inc., and Hallmark Plus with the release of nearly 8 million records of private corporate and customer data. The attackers set an April 2nd deadline for the company to respond.

While it’s a common tactic to release the company names via attackers’ communication channels to pressure victims, it’s not uncommon that the negotiations fail and the gangs seek revenge by publicly releasing the stolen data or reselling it on underground markets.

ADVERTISEMENT
hallmark shinyhunters datasample
Dataset leaked by Shinyhunters. Screenshot by Cybernews

That appears to be the case here. Whether Hallmark engaged in negotiations remains unclear, but the dataset attributed to the company has been published on ShinyHunters’ leak site.

At the same time, a separate threat actor, operating under a different alias, has listed what appears to be the same data for sale on a hacking forum.

Our researchers have investigated the data samples provided with the listing on the hacker forum. They also analyzed the entire dataset leaked on the ShinyHunters website and can confirm that the data matches, indicating a single source behind both exposures.

Cybernews has repeatedly reached out to the company for comment, but has not yet received a response.

hallmark dataforum
Data sample on hacker forum. Screenshot by Cybernews
hallmark entry forum
Entry on hacker forum. Screenshot by Cybernews

What Hallmark data was leaked?

ADVERTISEMENT

Samples reviewed by our researchers suggest the breach includes both customer and internal company data.

A data sample shared on the hacker forum contains limited user records, including:

  • Metadata
  • Account flags
  • Home addresses
  • Phone numbers, in some cases

Additional records appear to originate from customer feedback forms.

“User feedback form records do not contain explicit data referring to specific people – they contain a rating, additional comments, and other metadata,” our researchers explained.

However, the broader dataset published by ShinyHunters appears significantly more extensive. According to our researchers, it includes:

  • Customer email addresses
  • Corporate email accounts
  • Employee names
  • Departments where they work
  • Business hours
  • Customer support tickets

How could Hallmark data be exploited?

While the initial forum sample suggests limited exposure, the full dataset significantly increases the potential risk.

Our researchers warn that the combination of customer and employee data creates fertile ground for fraud, identity theft, and credential-harvesting campaigns, especially when cross-referenced with previously leaked datasets.

ADVERTISEMENT

This type of data can be weaponized in phishing campaigns, allowing attackers to craft highly convincing messages that mimic legitimate support interactions.

jurgita justinasv Izabelė Pukėnaitė vilius Ernestas Naprys Gintaras Radauskas
Don't miss our latest stories on Google News. Add us as your Preferred Source on Google
Follow us

“Customer support tickets reflect issues that people encounter with Hallmark on a daily basis, and how the company handles them,” our researchers said.

“This creates a perfect scenario for highly targeted phishing towards the company’s customers.”

As of now, the full scale of the breach remains unclear, but the appearance of matching data across multiple underground sources suggests that the incident has already moved beyond initial extortion and into active exploitation.

Shinyhunters continues to hit big targets

According to ShinyHunters’ claim, the currently leaked Hallmark data is from Salesforce.

However, it cannot be confirmed whether this is a new breach or if the data theft is indeed tied to last year’s Salesforce heist, which was claimed by a conglomerate of three gangs, Scattered LAPSUS$ Hunters. Shinyhunters is a member of the trio.

The Salesforce attacks have affected over 700 other companies, including Cloudflare, Zscaler, Palo Alto Networks, Google, Allianz Life, TransUnion, Farmers Insurance, Air France, and KLM.

The primarily English-speaking extortion group is known for many high-profile attacks. This year, the gang hit Dutch telecommunications giant Odido and the European Commission. The gang is also behind the attack on Cisco Systems, GTA creators Rockstar Games, US investment advisory firms Mercer Advisors and Beacon Pointe Advisors.

ADVERTISEMENT

Unlock more exclusive Cybernews content on YouTube.

Share
Post
Share
Share
Share
More from Cybernews
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked