Amtrak Data Breach
Amtrak Data Breach
Status: Confirmed / Data Published
2.1M+
Records
Apr 2026
Breach
Apr 2026
Data Posted
Breach Overview
Threat Actor
ShinyHunters
Vector (Reported)
Compromise of Amtrak's Salesforce instance (consistent with ShinyHunters' 2025–2026 vishing → SSO → Salesforce exfiltration playbook)
Date of Breach
April 2026 (exact date not specified in available reporting)
Public Release
April 2026 (data published after extortion attempt)
Initial Claim
9.4M records
Verified Dataset Size
2.1M unique email addresses
Added to HIBP
April 17, 2026
Summary
In April 2026, ShinyHunters claimed to have breached Amtrak, the U.S. national passenger rail service, by compromising the company's Salesforce instance. The group threatened to leak over 9 million records and, after extortion demands were not met, published the dataset publicly.
The released data contains over 2 million unique email addresses along with customer names, physical addresses, and customer support records. The support records reportedly include travel habits and preferences, raising the social-engineering value of the dataset well beyond a standard contact-info dump.
This is Amtrak's third publicly disclosed customer-data incident in six years, following credential-stuffing attacks against Amtrak Guest Rewards accounts in 2020 and 2024. The 2026 incident differs structurally — it involves a direct compromise of Amtrak systems rather than reuse of credentials previously stolen elsewhere.
The data is now indexed and searchable across breach intelligence platforms.
About Amtrak
Amtrak (officially the National Railroad Passenger Corporation) is the U.S. national passenger rail operator, founded in 1971 and headquartered in Washington, D.C. The platform supports:
- Train ticket purchases and reservations
- Amtrak Guest Rewards loyalty program
- Customer support, trip management, and refunds
- Operations across 46 U.S. states, three Canadian provinces, 500+ stations, and 21,000 miles of track
- Approximately 21,700 employees and ~$3.6B in annual revenue
If you have purchased an Amtrak ticket, registered for Guest Rewards, contacted Amtrak customer support, or used the platform to plan travel — your data may be included in this breach.
Data Points Exposed
Verified fields in the released dataset:
Email addresses
Full names
Physical addresses
Customer support tickets / support records
Travel habits and preferences (embedded within support records)
Not confirmed in this dataset:
Passwords (plaintext or hashed)
Payment card data
Date of birth
Amtrak Guest Rewards account numbers
Gift card numbers / PINs
Note: The fields listed under "Not confirmed" were exposed in Amtrak's separate 2024 Guest Rewards incident but are not reported as part of this 2026 dataset.
Attack Pattern: ShinyHunters Salesforce Campaign
If reporting is accurate, this breach follows ShinyHunters' established 2025–2026 playbook used across at least 15 organizational compromises.
The method:
- Voice phishing (vishing) call impersonating internal IT
- Target told an MFA or SSO refresh is required
- Victim directed to highly customized phishing landing page
- Real-time credential and MFA harvesting
- Login to Okta, Microsoft Entra, or Google Workspace SSO dashboard
- Data exfiltration from connected platforms — most often Salesforce
Public reporting attributes the Amtrak compromise specifically to a Salesforce instance breach, matching the exfiltration phase of this pattern.
Other organizations breached via the same model in this window include CarGurus, Betterment, Panera, Figure, Optimizely, Crunchbase, and Canada Goose.
Impact
This breach carries elevated risk due to travel pattern data tied to identifiable individuals, high-value customer support history usable as pretexting material, a long-tenured rail customer base including frequent business and government travelers, and email + physical address pairing useful for both digital phishing and physical mail-based fraud.
Primary downstream threats:
- Targeted phishing referencing prior trips, refunds, or complaints
- Pretexting calls impersonating Amtrak customer support
- Credential stuffing against reused passwords (especially Amtrak Guest Rewards)
- Loyalty-point theft — points are easily resold or converted to tickets on dark web markets
- Identity theft leveraging address + travel metadata
Travel and loyalty platforms intersect with payment, identity, and physical-location data. That increases exploitation value.
Recommended Actions
⚠️ Do not assume this is low sensitivity.
Change Passwords
Amtrak account immediately
Any account sharing similar credentials — especially Amtrak Guest Rewards
Any account sharing similar credentials — especially Amtrak Guest Rewards
Enable Multi-Factor Authentication
Email accounts first
Amtrak Guest Rewards
Any travel or loyalty program account
Amtrak Guest Rewards
Any travel or loyalty program account
Watch for Travel-Themed Scams
"Refund" or "trip compensation" emails referencing past travel
Fake Amtrak support follow-ups requesting verification
Loyalty-point "expiration" or "balance update" messages
Fake Amtrak support follow-ups requesting verification
Loyalty-point "expiration" or "balance update" messages
Monitor Loyalty Points
Amtrak Guest Rewards points have been targeted in prior incidents
Less-frequent travelers may not notice point theft for months
Less-frequent travelers may not notice point theft for months
Be Alert for Long-Term Abuse
Customer support records can fuel pretexting attacks well after the breach window
Travel pattern data has a long usable shelf life
Travel pattern data has a long usable shelf life
Check Your Exposure
Confirm via HIBP whether your email is in the dataset
Consider a full review across other ShinyHunters 2025–2026 victims
Consider a full review across other ShinyHunters 2025–2026 victims
Amtrak Statement Summary
As of late April 2026, Amtrak has not issued a comprehensive public statement specifically addressing the 2026 Salesforce breach (per available reporting at time of writing).
Context from prior incidents:
- In the 2024 Guest Rewards incident, Amtrak confirmed unauthorized access via previously stolen credentials and explicitly stated there was no hack of Amtrak systems in that case
- Amtrak reset compromised account passwords and reverted unauthorized email changes in 2024
- Affected individuals were notified via the Massachusetts AG breach disclosure process in 2024
The 2026 incident is materially different: it involves a direct compromise of an Amtrak-controlled platform (Salesforce) rather than credential reuse.
A formal Amtrak statement on the 2026 breach is expected as the investigation progresses.
Prior Incidents
May 2024: Amtrak Guest Rewards credential-stuffing attack. Disclosed to Massachusetts AG on June 14, 2024. Compromised data included names, contact info, Guest Rewards account numbers, dates of birth, partial credit card numbers and expirations, gift card numbers and PINs, and trip/transaction information. In some cases attackers changed account emails and passwords to lock users out before being reverted by Amtrak.
2020: Amtrak Guest Rewards breach in which "some personal information may have been viewed." Threat actor reportedly removed from systems within hours; password resets issued.
The repeated Amtrak victimization (2020, 2024, 2026) reflects elevated targeting of travel and loyalty platforms.
ObscureIQ Advisory
This incident fits a broader campaign targeting SSO and CRM infrastructure through social engineering rather than technical exploitation. Organizations with heavy reliance on centralized identity providers and Salesforce as a customer-data backbone are currently high-value targets. Threat actors have publicly noted the resale value of loyalty program data, and travel metadata remains useful for targeting long after the initial leak.
If you are an ObscureIQ client, we can:
- Cross-reference exposure across travel, loyalty, and identity datasets
- Evaluate whether your travel metadata or support history increases targeting risk
- Harden executive, government, or frequent-traveler accounts
Services