Have I Been Pwned confirms two more ShinyHunters Salesforce extortion victims this week - financial-software firm Abrigo (711K) and insurer Canada Life (237K)

Troy Hunt's Have I Been Pwned added two new ShinyHunters victims this week. Abrigo - a Texas-based fintech that builds risk, compliance, and lending software for thousands of US banks and credit unions - had 711,099 unique email addresses and 1.75 million records lifted from its Salesforce environment in April after refusing to pay the ransom. The Canada Life Assurance Company, one of Canada's largest insurers, had 237,810 accounts confirmed in HIBP from a separate ShinyHunters Salesforce breach. Both fit the pattern of the months-long ShinyHunters mass-extortion campaign that already hit Zara, Woflow, and Instructure, with stolen data sitting in third-party Salesforce tenants rather than the victims' core systems.

Check

Check whether your company has a customer or vendor relationship with Abrigo or Canada Life, search your corporate email domains against Have I Been Pwned, and audit Salesforce Connected Apps and OAuth tokens granted to third-party integrations.

Affected

Customers, lenders, and partners of Abrigo (US community banks, credit unions, lenders) and Canada Life (Canadian insurance, savings, and retirement clients). Any organization with broad Salesforce access for third-party connected apps.

Fix

Rotate Salesforce passwords and API tokens where compromise is suspected, revoke unused Connected Apps in Salesforce setup, enforce MFA on every Salesforce user, and warn affected staff to expect impersonation phishing using the leaked PII.