Hallmark data breach exposed information of 1.7 million accounts

A newly surfaced dataset tied to Hallmark has been added to the Have I Been Pwned (HIBP) breach notification service.

The leaked data exposed the personal information of approximately 1.7 million users following an alleged March 2026 intrusion, claimed by the ShinyHunters extortion group. The threat actors previously claimed they exfiltrated data from Salesforce systems and later published it after ransom demands were not met.

Hallmark, an American company best known for its greeting cards, media properties, and digital services, operates a broad ecosystem that includes retail products, television content, and its Hallmark+ streaming platform. The company has not yet issued a public statement addressing the alleged breach, nor confirmed whether Salesforce was indeed the point of compromise.

According to HIBP, the compromised dataset contains a range of personally identifiable information (PII), including:

• Email addresses
• Full names
• Phone numbers
• Physical mailing addresses
• Customer support tickets

The data spans users of both Hallmark’s primary services and its Hallmark+ streaming platform.

New breach: Hallmark was allegedly breached in March with attackers accessing Salesforce and publishing data this week. It exposed 1.7M unique email addresses with name, phone, physical address & support tickets. 82% were already in @haveibeenpwned. More: https://t.co/mqgYJC0mdo

— Have I Been Pwned (@haveibeenpwned) April 12, 2026

The incident was first brought to light by the ShinyHunters group, a well-known cybercrime collective with a history of high-profile data breaches and extortion campaigns. The group listed Hallmark on its leak site, claiming that over 7.9 million records were obtained. However, HIBP’s analysis identified 1.7 million unique email addresses within the dataset.

HIBP independently ingested and analyzed the leaked data, applying the platform’s standard validation mechanisms to verify its authenticity. While inclusion in HIBP does not serve as formal confirmation from the affected organization, it indicates that the data closely matches real user accounts associated with Hallmark systems. Impacted individuals are now receiving breach notifications if they are subscribed to HIBP alerts.

The reference to Salesforce suggests the attackers may have targeted a cloud-based customer relationship management (CRM) environment, a common repository for sensitive customer data such as contact information and support interactions.

The exposure of support tickets, in particular, raises additional concerns, as these records can sometimes include sensitive contextual information shared by users during troubleshooting or account recovery.

Users who believe they may be affected should take immediate precautions, such as monitoring for phishing attempts, as attackers often leverage leaked contact details to craft convincing scam messages. Changing passwords and enabling multi-factor authentication (MFA) on Hallmark-related accounts and any other services where the same credentials were reused is strongly advised.