Aman Resorts CRM data is indexed by leaksear.ch as 283,251 records tied to an April 2026 breach, exposing guest and contact profile data including emails, names, addresses, phone numbers, dates of birth, nationalities, and VIP status (leaksear.ch metadata). Public reporting and breach-notification records link Aman to a ShinyHunters pay-or-leak extortion campaign involving Salesforce CRM data, with Have I Been Pwned listing 215.6 thousand affected accounts and more than 200,000 unique email addresses (haveibeenpwned.com, cybernews.com).
What happened
Aman Group describes itself as a hospitality, residential development, and lifestyle company with 36 hotels and resorts in 20 destinations, which helps explain why exposed CRM records could contain both contact and guest-profile data (www.aman.com). In April 2026, Cybernews reported that ShinyHunters listed multiple brands in a pay-or-leak warning with an April 21 deadline, including Aman Resorts as an ultra-luxury hospitality brand tied to a claimed 500k Salesforce records containing PII (cybernews.com).
The record counts differ by source and stage of reporting: the attacker claim cited in public reporting was 500k Salesforce records, Have I Been Pwned lists 215.6 thousand affected accounts, and leaksear.ch indexed 283,251 records (leaksear.ch metadata, haveibeenpwned.com). No public source reviewed here provides an Aman-issued breach notice or confirms the exact Salesforce configuration involved.
Salesforce separately published March 7 guidance about a campaign abusing overly permissive Experience Cloud guest user configurations, stating that the issue was not an inherent Salesforce platform vulnerability but a customer-configured guest user setting. That Salesforce-wide guidance provides context for the broader 2026 campaign, but it should not be read as confirming the precise path used against Aman (www.salesforce.com, www.finra.org).
What data was exposed
leaksear.ch indexed searchable fields for address, country, date of birth, email, name, and phone. The stored record metadata also lists account identifiers and account numbers, account region, source, status and type, billing, mailing, shipping, and residence country or address components, secondary emails, gender, home and other phone fields, language preference, salutation, title, department, source fields, and VIP status (leaksear.ch metadata).
Have I Been Pwned independently lists compromised data categories including dates of birth, email addresses, genders, language preferences, names, nationalities, phone numbers, physical addresses, spouse names, and VIP statuses (haveibeenpwned.com). The available leaksear.ch metadata and HIBP categories do not list passwords or payment card numbers.
Why this matters
This is customer and prospect CRM exposure, not just a list of email addresses. Names, email addresses, phone numbers, postal addresses, dates of birth, nationality context, and VIP status can support credible hotel reservation, concierge, loyalty, invoice, or travel-security phishing. FINRA warned in its alert on the broader Salesforce Experience Cloud incident that stolen data from the campaign was being used for targeted phishing, vishing, and extortion, which makes follow-on fraud and impersonation the practical risk to watch (www.finra.org).
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, date of birth, email, name, and phone.
Sources
- Have I Been Pwned: Aman Data Breach
- Cybernews: Zara, Carnival, 7-Eleven hit by ShinyHunters, 9M+ records at risk in pay or leak warning
- Aman: Worldwide Retreats, Residences, & Lifestyle - Aman Group
- Salesforce: Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access
- FINRA: Cybersecurity Alert - Salesforce Experience Cloud Security Incident
- leaksear.ch: Request access
- leaksear.ch: Sign in