On July 4, 2026, leaksear.ch indexed a Hitachi Vantara Salesforce CRM export containing 2,325,391 records tied to contact, lead, user, case and account-contact data (leaksear.ch metadata). The dataset is associated in the metadata with Hitachi Data Systems / Hitachi Vantara and the wider 2025 Salesforce customer data-theft and extortion wave, but no breach date is listed for this specific export (leaksear.ch metadata).
What happened
leaksear.ch metadata identifies the material as a Salesforce CRM export, not as a direct confirmation by Hitachi Vantara. Public sources reviewed for this article document a broader 2025 pattern in which Salesforce customer data was taken through social engineering and third-party integration abuse, while Salesforce said there was no indication its platform itself was compromised or that the activity was tied to a known Salesforce vulnerability (status.salesforce.com, cloud.google.com).
Google Threat Intelligence Group said UNC6040 used vishing to persuade employees to authorize malicious connected apps, enabling access to Salesforce customer environments and subsequent extortion. Google Cloud separately said UNC6395 targeted Salesforce customer instances through compromised OAuth tokens associated with the Salesloft Drift third-party app between August 8 and August 18, 2025; the FBI also warned on September 12, 2025 that UNC6040 and UNC6395 were compromising Salesforce instances for data theft and extortion (cloud.google.com, cloud.google.com, www.fbi.gov). BleepingComputer and TechCrunch reported that Scattered Lapsus$ Hunters launched a data-leak site in October 2025 to pressure Salesforce customers, with claims around roughly 1 billion records; SecurityWeek later reported that only six claimed victims had data leaked in that episode (www.bleepingcomputer.com, techcrunch.com, www.securityweek.com).
Hitachi Vantara also published a separate cybersecurity update saying it experienced a ransomware incident on April 26, 2025, identified suspicious activity that day, and had detected no threat-actor activity since April 27. That public update does not connect the ransomware incident to this Salesforce CRM export, so the exact intrusion path and breach date for the Hitachi Vantara dataset remain unconfirmed (leaksear.ch metadata, www.hitachivantara.com).
What data was exposed
The leaksear.ch index describes 2,325,391 records with contact, lead, user, case and account-contact details (leaksear.ch metadata). Searchable fields in the index include addresses, countries, email addresses, names, phone numbers and usernames; stored context also includes account and contact IDs, case numbers, city/state/postal data, company, country code, department, job function, job title, role, lead source and lead score, Marketo external IDs, website, Salesforce object URLs, source object, record type IDs, status values and CRM timestamps (leaksear.ch metadata).
Other stored fields indicate call and email preference or deliverability metadata, including do-not-call, email opt-out, email bounce reason and email bounced status (leaksear.ch metadata). The supplied metadata does not list passwords, payment-card numbers, bank account numbers or government ID numbers, so those data types are not claimed here.
Why this matters
This is business-contact and CRM workflow data, which can make phishing more believable even when no passwords are present (leaksear.ch metadata). A name, employer, title, case number, phone number, address and email address can help attackers impersonate vendors, support teams or sales contacts. Security teams should treat exposed Salesforce metadata and case/account references as potential context for targeted social engineering, and individuals should verify unexpected outreach through known channels. Readers who want to check whether their data appears in this Hitachi Vantara leak should use the leaksear.ch exposure check for this dataset.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, name, phone, and username.
Sources
- Salesforce: Trust Status ID 20000224
- Google Cloud: The Cost of a Call: From Voice Phishing to Data Extortion
- Google Cloud: Widespread Data Theft Targets Salesforce Instances via Salesloft Drift
- FBI: Cyber Criminal Groups UNC6040 and UNC6395 Compromising Salesforce Instances for Data Theft and Extortion
- BleepingComputer: ShinyHunters launches Salesforce data leak site to extort 39 victims
- TechCrunch: Hacking group claims theft of 1 billion records from Salesforce customer databases
- SecurityWeek: Extortion Group Leaks Millions of Records From Salesforce Hacks
- Hitachi Vantara: Cybersecurity Incident Update