ShinyHunters listed Baker Distributing Company — a major US HVAC and refrigeration equipment distributor — on its extortion leak site on May 23, 2026, claiming to hold over 260,000 Salesforce CRM records and setting a May 27, 2026 deadline for the company to respond before the data is published publicly.
Baker Distributing’s 260,000 Salesforce Records and the May 27 Leak Deadline
The listing was published on May 23, the same day ShinyHunters disclosed Charter Communications and other organizations as part of the same Salesforce Experience Cloud exploitation campaign. Baker Distributing has not publicly confirmed the breach or issued a customer notification as of the time of reporting.
The 260,000 Salesforce records likely include customer and business contact data accumulated through Baker’s role as a distributor. A company in that sector would hold CRM data for HVAC contractors, commercial building operators, industrial facility managers, and other trade customers — potentially including business account credentials, purchasing histories, and contact directories relevant to facilities management across commercial and institutional sectors.
ShinyHunters’ Salesforce Aura Misconfiguration Exploit, Not a Software CVE
Baker Distributing is part of the same ShinyHunters Salesforce campaign that also claimed Charter Communications. Researchers tracking the operation describe the attack vector as exploiting overly permissive guest user configurations in Salesforce Aura — using a weaponized version of Google’s AuraInspector developer tool to scan and enumerate misconfigured Salesforce Experience Cloud instances. The technique does not exploit a vulnerability in Salesforce’s software code; it exploits organizations’ misconfiguration of Salesforce’s guest user permission settings.
Salesforce published a security advisory on March 7, 2026 warning of the exploitation pattern. Hundreds of organizations had already been compromised by that point, and new victims have continued to be added to the ShinyHunters leak site in batches through May 2026.
Batch Disclosure and ShinyHunters’ Pressure Tactics
ShinyHunters released Charter Communications, Baker Distributing, and other organizations simultaneously on May 23, 2026 — a batch disclosure timed ahead of the May 27 deadline cycle. The simultaneous release of multiple victims creates overlapping public pressure and compresses the available response time for each affected organization.
Baker Distributing’s Position in Building Systems and Critical Facilities Supply Chains
Baker Distributing operates as a supplier to HVAC contractors and commercial building operators with connections to sectors including healthcare facilities, government buildings, and data centers. A compromised distributor CRM can expose data relevant to those downstream facilities — contractor contact information, building service records, account access data — that extends the potential impact of the breach beyond Baker Distributing’s own direct customers.
The May 27 deadline means Baker Distributing faces an imminent decision on whether to acknowledge the breach, engage with ShinyHunters, or allow the data to be published without a company response. No statement from the company was available at the time of publication.
