A threat actor is claiming to sell a database of more than 5.5 million records allegedly tied to Canada Life on an underground cybercrime forum, significantly widening the scope claimed by the criminal group behind the original incident — though the figure remains unverified and sharply contradicts the insurer's own confirmed exposure count.
The new listing, reported by Cybernews researchers who reviewed a data sample published alongside it, appears to involve information consistent with a Salesforce customer relationship management environment. The researchers said the dataset looks legitimate at first glance, though independent verification is not possible at this stage. Canada Life has been contacted for comment.
The development adds a new dimension to an incident Insurance Business reported in April, when Canada Life confirmed that the hacking and extortion group ShinyHunters had accessed personal information belonging to up to 70,000 people through a single compromised employee account.
The two numbers circulating in coverage do not contradict each other but answer different questions. The 70,000 figure is Canada Life's verified count of individuals whose personal data was actually accessed. The 5.5 million figure is the attacker's claim about the broader volume of records reachable within the Salesforce environment, a number Canada Life has not confirmed and that should be treated as unverified.
Security analysts have described this pattern as "extortion inflation" — threat actors deliberately overstating the scale of accessible data to pressure organizations into paying ransoms for records that may not have actually been exfiltrated.
According to the threat actor's posting, the dataset includes names, email addresses, company and department information, job titles, address data, employee identifiers, manager and approver details, user permissions, access control information, and communication preferences. No insurance claims or financial documents appear to be included.
The data structure is described as consistent with a Salesforce CRM export, which aligns with what was established in the original breach. ShinyHunters' pattern across multiple recent incidents has been to compromise a single employee credential, authenticate to the target's Salesforce environment, and bulk-export customer records before issuing a ransom demand. The attack exploits no flaw in Salesforce itself — the platform behaves as designed when presented with valid credentials. The vulnerability is the human account and the absence of controls to detect an unusual bulk export from a single user session.
ShinyHunters first appeared in 2020 and has since been linked to breaches at dozens of major organizations. On April 17, 2026, the group publicly claimed access to eight major companies simultaneously, including Canada Life, and set an April 21 ransom deadline with a pay-or-leak ultimatum before Canada Life's public disclosure.
Security experts have noted that many large insurers still rely on basic passwords or easily phished multi-factor authentication for high-value applications such as Salesforce, rather than phishing-resistant MFA, device checks and conditional access controls. One compromised account, they warn, can cascade into an enterprise-level incident.
Canada Life confirmed in April that the incident involved unauthorized access to certain applications through an employee account, that the incident had been contained, and that regular operations were continuing. The insurer said external cybersecurity experts had been engaged, authorities notified, and that affected individuals would be contacted and offered credit monitoring at no cost. The company described the impact as affecting less than 0.5% of its approximately 14 million Canadian customers.
Canada Life had not responded to Cybernews' request for comment regarding the new listing at the time of publication.
