Yes — CFGI (cfgi.com) was breached. The financial consulting and advisory firm now appears on Have I Been Pwned with 248,235 accounts from a March 2026 ShinyHunters “pay-or-leak” extortion campaign targeting the company’s Salesforce environment.
HIBP added the breach on June 18, 2026. Exposed data includes corporate contact information — email addresses, names, phone numbers, and physical addresses — useful to attackers crafting targeted fraud against CFGI clients and finance teams.
We scanned cfgi.com to assess email and domain security posture after this CRM leak.
What Happened
According to Have I Been Pwned:
- March 2026 — ShinyHunters targeted CFGI in a pay-or-leak extortion campaign.
- The group publicized data allegedly obtained from CFGI, including 248,235 unique email addresses.
- Associated fields include names, phone numbers, and physical addresses.
- HIBP added the breach on June 18, 2026.
CFGI provides financial consulting, transaction advisory, and accounting services to middle-market companies — making its CRM contact database valuable for BEC, invoice fraud, and impersonation of advisory staff.

Breach Impact at a Glance
| Field | Detail |
|---|---|
| Victim | CFGI (cfgi.com) |
| Sector | Financial consulting & advisory |
| Threat actor | ShinyHunters |
| Source system | Salesforce (alleged) |
| Accounts affected | 248,235 |
| Breach period | March 2026 |
| Added to HIBP | June 18, 2026 |
| Data types | Emails, names, phone numbers, addresses |
Data at Risk
Exposed records may include:
- Corporate contact directories with direct-dial numbers
- Email addresses for partners, clients, and staff
- Physical addresses for social-engineering pretexting
- Relationship metadata mapping advisory teams to client accounts
Advisory firms are frequent business email compromise targets because a single convincing spoof can redirect closing funds or confidential financial packages.

Independent Cybersecurity Audit
We ran an EmailMeNow Cybersecurity Audit of cfgi.com on July 5, 2026:
| Domain | Overall | Identity | Transport | Website | Risk |
|---|---|---|---|---|---|
| cfgi.com | 64% | 75% | 15% | 45% | Above Average |
Key findings:
- 64% overall (Above Average) — better than many ShinyHunters victims, but still below the 100% ideal.
- 75% Identity & Spoofing — relatively strong DMARC/SPF posture compared to peers in this wave.
- 15% Transport Security — persistent MTA-STS/TLS-RPT gap shared across most victims in this campaign.
- 45% Website Security — room to improve public-site transport headers.
Strong identity helps, but transport weaknesses still leave mail paths vulnerable to downgrade — and leaked CRM contacts fuel convincing phishing regardless of SPF scores.
Audit link: cfgi.com audit
Priority Actions
- Treat unexpected CFGI invoice, engagement-letter, or wire requests as suspicious until verified by phone.
- Rotate passwords on any CFGI portal account and enable MFA.
- Advisory and CPA firms should review financial services AG breach trends.
- See the ShinyHunters April roundup and HIBP 2026 tracker.
Sources: HIBP — CFGI · EmailMeNow audit — cfgi.com