-
Hackers say they released over 13 million Kemper records after failed negotiations.
-
Attackers reportedly accessed 29GB of data through a compromised Salesforce account.
-
Exposed data may increase risks of identity theft, phishing, and further cyber intrusions.
Kemper Corporation has surfaced on the dark web after the hacking group ShinyHunters allegedly published millions of stolen records linked to the company.
The attackers claim they released the data after negotiations with the insurer broke down, escalating concerns about the scale and impact of the incident.
The company acknowledged the claims and confirmed that it has launched an investigation into the alleged breach. While the full extent of the exposure remains unclear, early findings suggest that both corporate and personal data may have been compromised.
Hackers Publish Data After Failed Negotiations
ShinyHunters posted the alleged Kemper dataset on its dark web platform late on April 15, following several days of warnings. The group had threatened to release the information if the company failed to reach an agreement, and it now claims it followed through on that threat.
According to the attackers, they extracted at least 29GB of data from Kemper’s Salesforce environment. Earlier campaigns linked to the same group show a pattern of targeting Salesforce accounts by deceiving employees into handing over login credentials through social engineering tactics.
Kemper responded by confirming awareness of the situation and initiating a formal investigation. A company spokesperson explained that the insurer moved quickly after detecting the issue.
“We recently identified a cybersecurity incident and immediately launched a comprehensive investigation with the support of external cybersecurity specialists, while also informing law enforcement authorities. Our operations continue without disruption, and we remain fully capable of serving our customers as the investigation progresses,” the company stated.
Kemper, which generates roughly $5 billion in annual revenue and employs around 10,000 staff, has not yet confirmed whether the leaked data is authentic.
Leaked Dataset Includes Employee and Payment Information
Cybersecurity researchers analyzed a sample of the leaked data and identified four main folders: SharePoint, Azure, Salesforce, and Salesforce objects. Each folder appears to contain different categories of internal and user-related information.
The SharePoint files mostly contain internal corporate materials, including workflow documentation and employee training resources dating back to around 2021. Researchers consider this portion of the data relatively low in sensitivity.
However, the Azure and Salesforce folders raise more serious concerns. These datasets reportedly include personally identifiable information such as employee names, email addresses, and job roles. Attackers could use this information to craft targeted phishing campaigns, particularly against employees with elevated access privileges.
The dataset also contains logs connected to Stripe, a payment processing platform used by many organizations. Some of these logs include customer names, payment amounts, timestamps, and transaction statuses, such as whether payments were completed or canceled.
Researchers clarified that the exposed logs do not appear to include highly sensitive financial details. “Several files were labeled as Stripe logs, but the non-empty entries primarily contained internal identifiers, timestamps, and user-related data. We did not observe any direct payment method details,” the research team noted.
Even without credit card information, experts warn that the combination of personal and transactional data could still enable fraud attempts and social engineering attacks.
ShinyHunters Expands Widespread Cyber Campaign
ShinyHunters continues to dominate cybersecurity headlines in 2026, with Kemper appearing to be one of many victims in a broader campaign. The group has focused heavily on exploiting Salesforce environments, gaining access to multiple organizations by manipulating employees into revealing credentials.
Because many companies rely on Salesforce for customer management, analytics, and internal operations, a single compromised account can expose large volumes of sensitive data. ShinyHunters’ targeting of corporate data isn’t limited to insurers, the group recently claimed theft of 3 million Cisco records and set a deadline for the data’s release, demonstrating that the hackers are systematically targeting major corporations across industries, from technology giants like Cisco to insurance companies like Kemper.
The extent of each breach often depends on how the affected organization uses the platform.
Recent reports link the group to other major incidents, including a large data dump allegedly tied to Rockstar Games, the developer behind the Grand Theft Auto franchise. The attackers also claimed responsibility for breaching the National Railroad Passenger Corporation (Amtrak), where they reportedly accessed more than nine million records.
The Kemper incident highlights the growing risks tied to credential-based attacks and third-party platforms. As organizations continue to depend on integrated digital systems, attackers increasingly exploit human error rather than technical vulnerabilities to gain entry.
Kemper’s investigation remains ongoing, and the company has yet to confirm the full scope of the breach. Meanwhile, cybersecurity experts urge organizations and individuals to remain vigilant, especially when handling unexpected communications that could signal phishing attempts.
