leaksear.ch has indexed 140,178 Ralph Lauren records from a June 11, 2026 ShinyHunters pay-or-leak extortion incident involving alleged Salesforce data (leaksear.ch metadata). Have I Been Pwned lists the incident as a June 2026 Ralph Lauren breach affecting about 140,000 accounts, with names, email addresses, phone numbers, genders, and age groups exposed (haveibeenpwned.com).
What happened
Cybernews reported on June 11, 2026 that ShinyHunters claimed to have stolen more than 220GB of Ralph Lauren data, including customer PII, transaction information, and unreleased product material. At the time of that report, Cybernews said Ralph Lauren had not confirmed the incident and that no public data sample was available to verify the claim (cybernews.com).
Have I Been Pwned later described the incident as a ShinyHunters pay-or-leak campaign in which the group published hundreds of gigabytes of data it claimed came from Ralph Lauren's Salesforce instance (haveibeenpwned.com). DeXpose separately reported the June 11 threat-actor claim and said the group threatened publication if negotiations did not begin by June 14, 2026 (www.dexpose.io).
Salesforce had warned in March 2026 about a known threat actor campaign targeting overly permissive Experience Cloud guest user configurations, while stating that the activity related to customer configuration and not a Salesforce platform flaw. That advisory is useful background for Salesforce-linked leak claims, but public reporting on Ralph Lauren does not establish the exact access path used in this incident (www.salesforce.com).
What data was exposed
The leaksear.ch index makes the Ralph Lauren dataset searchable by country, email address, name, and phone number (leaksear.ch metadata). Other stored fields include customer gender, age group, store and business-region context, order or transaction dates, survey programs, net promoter score fields, feedback comments, purchase or non-purchase reasons, checkout and delivery satisfaction fields, store identifiers, and transaction or tracking context (leaksear.ch metadata).
Have I Been Pwned lists the compromised data categories as age groups, email addresses, genders, names, and phone numbers (haveibeenpwned.com). The leaksear.ch metadata does not list passwords, password hashes, national IDs, or full payment-card numbers among the indexed or stored fields (leaksear.ch metadata).
Why this matters
Names, email addresses, phone numbers, demographic details, and shopping or survey context can make phishing and vishing attempts more believable. Salesforce warned that harvested names and phone numbers in related Experience Cloud scanning activity are often used to build follow-on social engineering and voice-phishing campaigns (www.salesforce.com).
For affected individuals, the practical risk is targeted brand impersonation, fake customer-support outreach, account-recovery scams, and profiling based on purchase or feedback history. Readers who want to check whether their data appears in this leak should search leaksear.ch using email, phone, name, or country.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include country, email, name, and phone.