Baker Distributing ShinyHunters Salesforce data-extortion leak (2026)
After negotiations stalled, the ShinyHunters extortion crew published data it claimed to have stolen from Baker Distributing's Salesforce and SharePoint systems, exposing more than 100,000 customer email addresses and contact records.
- Victim
- Baker Distributing Company
- records
- 102.9K
On or around 7 June 2026, the data-extortion group ShinyHunters made good on a threat and published a trove of data it claimed to have stolen from Baker Distributing Company β one of the largest U.S. wholesale distributors of HVAC, refrigeration, and foodservice equipment, and a business unit of Watsco. The leak followed failed negotiations after the company was added to the group's "pay or leak" site in May.
What happened
ShinyHunters listed Baker on its leak site on 23 May 2026, claiming to hold more than 260,000 Salesforce records and setting a negotiation deadline of 27 May. When that deadline passed without payment, the group published the data in early June. Cybernews researchers who reviewed the dataset reported that most of the exposed material appears to have originated from SharePoint repositories alongside the Salesforce records, comprising internal business documentation and customer contact information.
Have I Been Pwned subsequently indexed the breach at 102,935 affected accounts, drawn from the roughly 103,000 unique email addresses in the leak. Exposed fields included names, physical addresses, phone numbers, and support tickets relating to Baker's HVAC contractor customer base β largely corporate contact and support data rather than highly sensitive personal records.
Impact
- ~103,000 unique email addresses exposed; HIBP indexes 102,935 affected accounts.
- ShinyHunters claimed more than 260,000 Salesforce records in total.
- Exposed data: names, addresses, phone numbers, and support tickets, plus internal SharePoint documents.
- No ransom is known to have been paid; the data was published after negotiations stalled.
Why it matters
The Baker leak fits the broader SaaS data-extortion pattern ShinyHunters has run through 2025β2026, in which attackers steal data from cloud platforms such as Salesforce and then pressure victims directly rather than deploying file-encrypting ransomware. Even when the stolen data is mostly business contact information of "limited sensitivity," publication still hands competitors and downstream scammers a clean, structured customer list β a reminder that the value of a leak is not only in how sensitive each field is, but in how complete and ready-to-use the dataset is.
Timeline
ShinyHunters lists Baker Distributing Company on its 'pay or leak' site, threatening to release over 260,000 Salesforce records unless negotiations begin.
The negotiation deadline set by ShinyHunters passes without payment.
ShinyHunters publishes data it says came from Baker's Salesforce and SharePoint infrastructure, including roughly 103,000 unique email addresses with names, addresses, phone numbers, and support tickets.
Have I Been Pwned indexes the Baker Distributing breach at 102,935 affected accounts.
Sources
- cybernews.comhttps://cybernews.com/security/baker-distributing-ransomware-salesforce-sharepoint-leak/
- haveibeenpwned.comhttps://haveibeenpwned.com/Breach/BakerDistributing
- redpacketsecurity.comhttps://www.redpacketsecurity.com/baker-distributing-102-935-breached-accounts/
- dataproof.co.zahttps://www.dataproof.co.za/index.php/2026/06/07/baker-distributing-102935-breached-accounts/