Deep Well Services (DWS), a Pennsylvania-rooted oilfield services company whose site describes hydraulic completion and workover services, training, and real-time data analytics, has a newly indexed leak tied to a ShinyHunters-attributed June 16, 2026 breach (deepwellservices.com, breachsense.com). leaksear.ch indexed 6,223 Salesforce-derived records from the dataset, including contact, account, case, opportunity, and user data (leaksear.ch metadata).
What happened
Public breach listings provide limited but consistent context that Deep Well Services was listed as a breach victim in June 2026. Breachsense lists the victim as deepwellservices.com, names ShinyHunters as the threat actor, and gives June 16, 2026 as the date discovered (breachsense.com). DataBreach lists a Deep Well Services breach page dated June 15, 2026, added June 23, 2026, with 13,297 rows and categories including email, phone number, name, and vehicle plate (databreach.com).
The public row counts differ by source, while leaksear.ch indexed 6,223 records from the dataset; those figures should be treated as listing or indexing counts, not a confirmed number of unique affected people (leaksear.ch metadata). The public sources cited here do not confirm Deep Well Services' initial access vector or a company-issued breach notice.
Because the indexed records are Salesforce-derived, the wider Salesforce threat context is relevant but not proof of the DWS intrusion method. Salesforce warned in March 2026 that malicious actors were exploiting overly permissive Experience Cloud guest user configurations to access data, and FINRA separately warned firms that ShinyHunters had been actively exploiting misconfigured Salesforce Experience Cloud instances (salesforce.com, finra.org).
What data was exposed
leaksear.ch indexed searchable fields including names, email addresses, phone numbers, physical addresses, countries, IP addresses, and usernames (leaksear.ch metadata).
The dataset also contains CRM and business context that is not directly searchable on leaksear.ch, including account names, company names, job titles and departments, Salesforce contact and user IDs, user profiles, active status, last-login and password-expiration dates, case numbers, case subjects, case statuses, case reasons, case types, case opened dates, owner names, lead sources, opportunity IDs, opportunity names, opportunity stages, opportunity types, opportunity owner titles and departments, source files, source tables, source row numbers, and audit metadata (leaksear.ch metadata).
Why this matters
CRM leaks can make phishing and vishing more credible because attackers can reference real names, phone numbers, accounts, support cases, job roles, and business relationships. Salesforce warned that harvested names and phone numbers from similar activity are often used for targeted social engineering and voice phishing (salesforce.com).
For affected individuals and organizations, the practical risk is impersonation of employees, vendors, customers, or support staff, especially where oilfield services operations depend on phone and email coordination. Anyone who has interacted with Deep Well Services should verify unusual payment, procurement, support, or credential requests through a trusted channel, and check leaksear.ch to see whether their email, phone number, name, username, address, country, or IP address appears in this leak.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, ip address, name, phone, and username.