Pitney Bowes

In April 2026, the ShinyHunters hacking collective compromised Pitney Bowes through unauthorized access to its Salesforce environment. After ransom negotiations failed, ShinyHunters publicly released the stolen data. Have I Been Pwned confirmed the breach on April 27, adding 8,243,989 unique email addresses to its database.

8.2 million unique email addresses, full names, phone numbers, and physical mailing addresses. A subset of records also contained Pitney Bowes employee information including job titles. The data came from their Salesforce CRM—the system that holds customer relationships, support histories, and business contact information.

For a company whose core business is mailing and shipping logistics, the exposed addresses aren't just contact details. They're the foundation of customer shipping operations, business correspondence, and commercial relationships spanning decades.

Pitney Bowes serves businesses of all sizes—from small offices using postage meters to enterprises managing global shipping operations. Every one of those 8.2 million email addresses now sits in attacker databases. Phone numbers and physical addresses enable spear phishing, social engineering, and business email compromise.

Exposed employee data compounds the problem. Job titles tell attackers who handles finances, who approves payments, who has system access. This is reconnaissance data for the next attack—not against Pitney Bowes, but against their customers.

Pitney Bowes stated they "immediately secured the environment, revoked the compromised access, and engaged leading cybersecurity experts and law enforcement." They also found "no evidence that the activity extended into other Pitney Bowes systems."

This is the third breach in seven years. In 2019, Maze ransomware hit them. In 2020, another attack disrupted operations. Each time, they contained it. Each time, they recovered. Each time, they believed the perimeter was finally secure. The Salesforce environment was supposed to be different—cloud-hosted, enterprise-grade, professionally managed.

Salesforce environments accumulate data. Every customer interaction, every support ticket, every sales conversation gets logged. Over years of operation, that CRM instance becomes a repository of business relationships the organization may not fully inventory.

Pitney Bowes claimed "no indication that sensitive personal data was accessed." But 8.2 million records with names, emails, phone numbers, and physical addresses is sensitive personal data. The gap between what the organization classified as sensitive and what attackers actually took reveals the inventory problem.

ShinyHunters gave Pitney Bowes until April 21 to negotiate. When the deadline passed, the data went public. Now Pitney Bowes faces notification obligations across every state where those 8.2 million customers reside. That's potentially 50 different notification requirements, 50 different attorney general offices, 50 different timelines.

For customers, the exposure is already complete. The data is on breach forums, indexed by Have I Been Pwned, available to anyone who wants it. Notification letters will arrive weeks after attackers have already harvested the information for credential stuffing and phishing campaigns.