The notorious cybercriminal group ShinyHunters has claimed responsibility for a massive data breach targeting The Canada Life Assurance Company, one of Canada’s largest insurance and financial services providers. The group alleges it has exfiltrated over 5.6 million Salesforce records containing personally identifiable information (PII), setting a ransom deadline of April 21, 2026 — today — before threatening to publicly leak the data.
What Was Exposed
According to information posted by ShinyHunters on their leak site, the stolen dataset contains an enormous volume of Salesforce CRM records tied to Canada Life’s customer base. The compromised data reportedly includes:
- Full names and dates of birth
- Mailing addresses and gender information
- Annual income levels
- Account identifiers and insurance policy metadata
Canada Life, for its part, has confirmed a cybersecurity incident but places the scope of directly compromised customer records at approximately 70,000 individuals — a significant discrepancy from ShinyHunters’ claimed 5.6 million figure. The company stated that the majority of affected accounts belonged to a single large corporate client, and that hackers accessed the data through a compromised Canada Life employee account.
ShinyHunters’ Expanding Salesforce Campaign
This breach is far from an isolated incident. ShinyHunters has been conducting an aggressive, sustained campaign targeting Salesforce Experience Cloud environments since early 2026. Researchers at Help Net Security reported in March that the group exploited misconfigured Salesforce Aura endpoints to harvest data from hundreds of organisations worldwide.
The modus operandi involves identifying publicly accessible Salesforce Community portals where guest user permissions are over-provisioned, allowing unauthenticated or lightly authenticated access to sensitive object records. With these misconfigurations in place, ShinyHunters can exfiltrate large volumes of CRM data without ever needing to compromise Salesforce’s core infrastructure directly.
The group has claimed breaches of over 400 companies through this campaign, with victims spanning financial services, retail, healthcare, and education sectors. Other high-profile targets identified in recent months include McGraw-Hill, Zara parent Inditex, Rockstar Games, and several major Canadian financial institutions.
Canada Life’s Response
Canada Life issued a public statement acknowledging the breach and confirming that it has notified affected customers and relevant Canadian privacy regulators, including the Office of the Privacy Commissioner. The company says it has implemented additional security controls, engaged external incident response specialists, and is conducting a full forensic review of the compromised access pathway.
Critically, Canada Life asserts that no banking or payment card information was exposed in the incident, and that the breach was limited to insurance and profile-related records rather than transactional financial data. Nevertheless, the combination of names, dates of birth, addresses, and income information is more than sufficient for identity theft, social engineering, and targeted phishing campaigns.
The Ransom Deadline
ShinyHunters posted to their dark web leak site with a hard deadline of April 21, 2026, threatening to release the full dataset publicly if Canada Life failed to meet their undisclosed ransom demand. As of the time of writing, it remains unclear whether Canada Life has engaged with the threat actors or whether the data has been released. Security researchers are monitoring the group’s leak site for any new postings.
This approach — setting a public countdown to pressure victims — has become a signature tactic of ransomware and data extortion groups. It creates reputational urgency and places victims in an impossible position: paying the ransom offers no guarantee that data won’t be sold or released anyway, while refusal risks massive public exposure.
What Organisations Should Do
Security professionals and Salesforce administrators are strongly advised to take the following steps in light of this ongoing campaign:
- Audit all Salesforce Experience Cloud and Community portals for guest user permission misconfigurations
- Review Salesforce sharing rules, object-level permissions, and field-level security settings
- Enable Salesforce Shield Event Monitoring to detect anomalous data access patterns
- Enforce IP allowlisting for Salesforce API access where possible
- Conduct a threat hunt for indicators of compromise associated with ShinyHunters TTPs
The Canada Life breach underscores the systemic risk posed by misconfigured SaaS platforms. As organisations continue to expand their use of cloud CRM systems to manage sensitive customer data, attackers like ShinyHunters are proving that the weakest link is often not the platform itself, but how it has been configured and secured by the organisation deploying it.