Hallmark data leak surfaces online following ShinyHunters ransom threat

Data allegedly stolen from Hallmark Cards Inc., a U.S.-based greeting card and social expression products company, is now circulating on cybercrime forums, weeks after a ransomware group threatened to release millions of records linked to the company.

The hacking group ShinyHunters claimed in early April that it had obtained nearly 8 million records belonging to Hallmark and its affiliated services, setting an April 2 deadline for a response. The group has since published the dataset on its leak site, while a separate threat actor has listed what appears to be the same data for sale on an underground forum.

Analysis of data samples and the full dataset indicates that both sources originate from the same breach, suggesting a single compromise that has moved beyond initial extortion efforts into broader distribution. It remains unclear whether Hallmark engaged in negotiations with the attackers.

The exposed data includes a mix of customer and internal company information. Samples shared on forums contain limited user records such as metadata, account flags, home addresses and, in some cases, phone numbers. Additional entries appear to stem from customer feedback submissions.

The larger dataset published online is significantly more extensive, containing customer email addresses, corporate email accounts, employee names, departmental details, business hours and customer support tickets. The inclusion of internal communications and operational data increases the potential for misuse.

Security risks associated with the leak include identity theft, fraud and highly targeted phishing campaigns. The presence of customer support records may enable attackers to craft convincing messages that mimic legitimate interactions, increasing the likelihood of successful social engineering attempts.

The origin of the breach has been linked by the attackers to Salesforce systems, though it remains unconfirmed whether the incident is part of a broader campaign targeting the platform or tied to earlier claims involving multiple hacking groups.

ShinyHunters has been associated with a series of high-profile cyber incidents, including attacks on major corporations and institutions across multiple industries. The group has followed a pattern of publicly naming victims, issuing deadlines and releasing or monetizing stolen data when demands are not met.