ShinyHunters Claims 200GB Ameriprise Data Breach, Sets March Deadline

The message posted to the dark web on March 22 was blunt: "Make the right decision, don't be the next headline." ShinyHunters, the extortion group responsible for a string of high-profile breaches, had just named Ameriprise Financial, Inc. as its latest claimed target, asserting possession of roughly 200GB of sensitive data and giving the Minneapolis wealth management giant three days to respond before a threatened leak.

In the dark-web post, ShinyHunters claimed to hold Ameriprise Financial Salesforce records containing customer personally identifiable information and over 200GB of compressed SharePoint internal data. The group labelled the communication a "final warning," setting a hard deadline of March 25, 2026 for Ameriprise to make contact. The post was updated on March 23, reinforcing the threat with language warning of "several annoying (digital) problems" should the company fail to respond.

Ameriprise Financial is a Minneapolis-based diversified financial services company providing wealth management, asset management, and retirement solutions that manages over $1.17 trillion in assets. The scale of what ShinyHunters claims to hold, if verified, would represent a significant breach of one of the country's largest financial services firms.

The claim, however, remains unverified. The attackers allege that Salesforce records containing personally identifiable information (PII) and more than 200GB of compressed SharePoint internal corporate data have been compromised, but threat intelligence analysts note the post provided no supporting evidence. The leak page contained zero accompanying images and zero downloadable files, with no ransom amount disclosed. Industry monitoring listings attached to the ShinyHunters post carry an explicit verification alert: "Listings attributed to SHINYHUNTERS have been reported as including unverified or fabricated victim claims. Treat this post as unconfirmed until corroborated with independent evidence."

It appears ShinyHunters may have once again used data from its earlier Salesforce campaign; if the claims are true, the attackers gained access to Ameriprise's Salesforce environment. ShinyHunters previously targeted Salesforce, threatening to pursue hundreds of its customers if the company refused to pay a ransom.

ShinyHunters has recently claimed attacks against Bumble, dating apps Hinge, Match, and OkCupid, as well as two heavyweight U.S. investment advisory firms, Mercer Advisors and Beacon Pointe Advisors. Just this week, the gang also threatened to reveal all data stolen from Infinite Campus, a widely used supplier of a popular Student Information System.

The March 25 deadline has now passed with no public statement from Ameriprise acknowledging or denying the claim. Cybernews reached out to Ameriprise Financial for comment. No response from the company has been made public. Dark web monitoring sites reported the breach on March 22, 2026, though little confirmed information is yet available about the nature of the intrusion or the specific data involved.

This would not be Ameriprise's first data security incident: in April 2025, the company informed thousands of customers that an ex-employee's mistake revealed their personal details. That prior episode adds context to an institution that ShinyHunters has now singled out in what, if substantiated, would be a far larger and more deliberate compromise.