Claimed Kemper Salesforce breach surfaces

A hacking group calling itself ShinyHunters says it stole more than 13 million Salesforce records from Kemper, an insurance company that serves more than 4.5 million policies. (dexpose.io) The claim appeared on or around April 12, 2026, on the group’s leak site, which listed Kemper and threatened to publish data unless demands were met by April 14. Kemper had not posted a public statement or a new United States Securities and Exchange Commission incident filing on its investor site as of April 14. (redpacketsecurity.com, investors.kemper.com) What is known so far comes from the attackers’ claim, not from Kemper or Salesforce. The leak-site posts summarized by multiple security outlets say the data allegedly includes personal information and internal corporate material stored in Salesforce. (dexpose.io, redpacketsecurity.com) Salesforce is a customer-record system that companies use to store contact details, service notes, and other business data in one place. If an attacker gets broad access to that system, the result can look less like a server outage and more like someone walking off with a filing cabinet. (salesforce.com) This claim lands after months of warnings about attacks tied to Salesforce environments. Salesforce said on March 7, 2026, and updated on March 11, 2026, that threat actors were exploiting overly permissive Experience Cloud guest-user settings to query data that should not have been public. (salesforce.com) In those cases, Salesforce said the problem was not a flaw in the core platform. The company said the risk came from customer configurations that let anonymous visitors query Salesforce data through the Aura endpoint without logging in. (salesforce.com) Security reporting over the past year has tied ShinyHunters to a broader wave of Salesforce-related extortion. BleepingComputer reported in October 2025 that the group had launched a leak site for 39 victims and said those attacks had already affected companies including Google, Cisco, Qantas, Adidas, Allianz Life, Farmers Insurance, and Workday. (bleepingcomputer.com) BleepingComputer also reported in March 2026 that Salesforce and Mandiant were tracking scans and attempted intrusions involving a modified AuraInspector tool. Salesforce told customers to audit guest-user permissions, disable guest access to public application programming interfaces, and review logs for unusual queries. (bleepingcomputer.com, salesforce.com) For Kemper customers, the unanswered question is not whether a post appeared on a leak site, but whether the claimed records are authentic and what fields they contain. Kemper’s own privacy materials say it handles nonpublic personal information for insurance customers, including information collected through policies and related services. (kemper.com, kemper.com) Kemper says it has about $12 billion in assets and serves more than 4.5 million policies, which gives the claimed record count a scale that would reach well beyond a narrow internal system. Until Kemper confirms or disputes the post, the story remains a public extortion claim attached to a company that holds large volumes of customer data. (investors.kemper.com)