Kemper Corporation, a major American insurer, has been posted on the ShinyHunters hacker gang’s dark web blog. The attackers claim that negotiations with the company failed, leading them to leak over 13 million records, apparently including personal information. Kemper confirmed the company is investigating the data leak claims.
-
ShinyHunters claim to have leaked over 13 million Kemper records on the dark web, supposedly after failed negotiations.
-
Attackers say they stole at least 29 GB of Kemper data from the company’s Salesforce account.
-
The alleged Kemper breach is part of a wider ShinyHunters campaign targeting hundreds of organizations.
-
Exposed Kemper personal and corporate data could enable identity theft, social engineering attacks, and further intrusions into victim networks.
ShinyHunters posted alleged Kemper data on its dark web site in the late hours of April 15th. The hacker group had threatened to leak the insurer's data for several days previously, citing failure to reach an agreement as the reason for uploading stolen records.
The company told Cybernews that Kemper is aware of attacker claims and has launched an investigation into the matter.
“We recently became aware of a cybersecurity incident and immediately began a thorough investigation with the help of third-party cybersecurity experts, and notified law enforcement. There has been no disruption to our operations or our ability to serve our customers. Our investigation remains ongoing” the company said.
ShinyHunters claim it has at least 29GB of data, stolen from Kemper’s Salesforce account. Earlier this year, the hackers compromised multiple Salesforce accounts by tricking company employees into revealing their access credentials through social engineering.
With around $5 billion in revenue, Kemper is among the top insurers in the United States, keeping around 10,000 employees on its payroll.
What records did hackers expose in the Kemper data leak?
The Cybernews research team investigated the data sample that the attackers attached to their dark web post. According to our team, the dataset included four folders: SharePoint, Azure, Salesforce, and Salesforce objects.
The SharePoint folder included internal corporate documents that reveal internal workflows with added employee training materials. Our team considers the information to be not very sensitive and covers a period from around 2021.
Meanwhile, the Azure folder did include personally identifiable information (PII), such as employee email addresses, full names, and their roles. At least in theory, attackers could exploit this type of information to carry out social engineering attacks, targeting staff with high-level admin access.
Similarly, the Salesforce folder revealed lists of employee data with PII. The last folder included logs from the payment-processing software Stripe. Some of the logs had payment schedules, which contained customers' full names, timestamps, amounts of money paid, and whether the transaction was canceled or not.
“There were a number of files that were named as Stripe logs. However, those that were not empty mainly contained internal identifiers, timestamps, and user info. No more explicit payment method info was found,” our team explained.
Check if your data has been leaked
Why are ShinyHunters behind so many attacks?
ShinyHunters has dominated cybersecurity headlines in 2026. After successfully obtaining credentials to the Salesforce environment from its employees, the hacking group accessed records for hundreds of Salesforce client companies.
Businesses and organizations often use Salesforce for customer service, marketing automation, analytics, and other services. What type of data ShinyHunters accessed depends on how its clients were using the platform.
Earlier this week, attackers dumped a large dataset supposedly taken from Rockstar Games, the company behind one of the most successful video games in history, Grand Theft Auto.
Another recent victim on ShinyHunters' hit list is the National Railroad Passenger Corporation, better known as Amtrak, with threat actors claiming access to over 9 million records from America’s primary passenger railroad services provider.
Did Kemper Corporation confirm the data breach?
Kemper Corporation confirmed to Cybernews that it is aware of the incident and has launched a thorough investigation with the help of third-party cybersecurity experts. The company has also notified law enforcement
What specific data was stolen in the Kemper leak?
According to our researchers, the leaked dataset includes internal corporate documents, employee training materials (dating back to 2021), employee PII (full names, emails, job roles), and Stripe payment logs containing customer names, transaction amounts, timestamps, and payment status.
Were customer credit card numbers or payment details exposed?
No explicit payment method information (such as credit card numbers or bank account details) was found in the analyzed samples.
How did ShinyHunters breach Kemper's systems?
The breach is part of ShinyHunters' ongoing Salesforce credential theft campaign. The gang uses social engineering tactics to trick employees into revealing their Salesforce login credentials. Once inside, they can access customer records, payment data, and internal documents.
Updated on April 16th [01:55 a.m. GMT] with a statement from Kemper and our teams' analysis of the details posted on the dark web.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked