Stellantis Confirms Customer Contact Data Breach; ShinyHunters Claims ~18M Records

Stellantis — parent company of brands such as Dodge, Ram and Chrysler — confirmed unauthorized access to a third‑party service provider’s platform that supports its North American customer service operations. The automaker says the breach exposed customer contact information but not financial or other sensitive personal data, since those are not stored on the affected third‑party platform.

What happened

• Stellantis detected unauthorized access to a third‑party platform and activated incident response and a comprehensive investigation.
• The company says it is notifying affected customers and authorities and advises caution against phishing or social‑engineering attacks.
• Hacking group ShinyHunters claims to have obtained more than 18 million Salesforce records containing names and contact details, though Stellantis has not confirmed the number or the exact data fields exposed.
• Stellantis has not publicly offered details about the number of affected customers or whether it will provide credit or identity protection services.

What affected customers should do

1. Be alert for unexpected calls, texts or emails asking for personal information — treat them as potential phishing attempts.
2. Do not click links or open attachments from unknown or suspicious messages.
3. Enable multi‑factor authentication (MFA) on accounts where available and use strong, unique passwords.
4. Monitor email and phone accounts for unusual activity and consider enabling alerting on financial accounts.
5. Contact Stellantis support if you receive a suspicious message claiming to be from the company; verify via official channels.

Sources

• Bleeping Computer — Stellantis data breach (ShinyHunters claim)
• TechCrunch — Stellantis says customers’ personal data stolen
• Engadget — Stellantis confirms data breach (no RSS link)

Note: This post summarizes reporting from multiple outlets. Stellantis has stated it will notify affected customers directly and that no financial/sensitive personal data stored on the breached third‑party platform were accessed.