A Nexstar Media Group Salesforce dataset indexed by leaksear.ch contains 14,600 person-level contact, user, and opportunity records, including emails, names, phone numbers, addresses, usernames, IP addresses, and CRM context, with a breach date of June 11, 2026 (leaksear.ch metadata). Nexstar says it and its subsidiaries and partners own or operate 265 stations in 132 markets across 44 states (www.nexstar.tv).
What happened
Public reporting described the incident as a ShinyHunters data-extortion claim involving Nexstar.tv or Nexstar Media Group. DeXpose reported that ShinyHunters claimed on June 11, 2026 to have compromised more than 1 million Salesforce records and other internal corporate data, while ClassAction.org described the matter as a possible Nexstar breach and said the company had not confirmed it at the time of publication (www.dexpose.io, www.classaction.org).
Class Action U similarly characterized the incident as reported and potentially involving Salesforce records, employee and corporate information, and sensitive personal data, but noted the breach had not been confirmed by Nexstar (classactionu.org). RedPacket Security listed Nexstar.tv under ShinyHunters and included a warning that some listings attributed to ShinyHunters have been unverified or fabricated, so the actor's broader claim should be treated as alleged unless corroborated (www.redpacketsecurity.com).
The leaksear.ch indexed subset is narrower than the actor's public claim: it contains normalized person-level Salesforce contact, user, and opportunity records, excluding standalone business-account rows and cases without an email deduplication key (leaksear.ch metadata). No loaded public source for this article confirmed the initial access vector, a ransom amount, or whether encryption occurred.
What data was exposed
The indexed records include names, email addresses, phone numbers, physical addresses, countries, usernames, and IP addresses as searchable fields (leaksear.ch metadata). The dataset also contains employee and CRM context, source table information, source file names, source row numbers, and source value audit data for row provenance, but those provenance fields are not direct search pivots (leaksear.ch metadata).
Why this matters
Person-level CRM data can give attackers enough context to make phishing, business-email-compromise lures, and impersonation attempts look credible, especially when names, contact details, usernames, and organizational context appear together. For individuals, exposed addresses and phone numbers increase the risk of targeted scams and account-recovery abuse. Anyone affiliated with Nexstar, including current or former employees, customers, vendors, or other CRM contacts, should check whether their email, phone, username, name, address, country, or IP address appears in this leak (leaksear.ch metadata).
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, email, ip address, name, phone, and username.
Sources
- Nexstar Media Group: Stations
- DeXpose: ShinyHunters Compromises Nexstar.tv in Major Ransomware Attack
- ClassAction.org: Nexstar Media Group Data Breach? Lawyers Examining Hackers' Reports
- Class Action U: Nexstar Media Group Data Breach Lawsuit
- RedPacket Security: ShinyHunters Ransomware Victim Nexstar.tv