A ShunFeng/SF Express dataset indexed by leaksear.ch contains 59,722,322 Chinese courier customer records, exposing recipient names, phone numbers, and full shipping addresses (leaksear.ch metadata). SF Express says it was established in Shunde in 1993, is headquartered in Shenzhen, and provides domestic and international logistics services (www.sf-express.com).
What happened
The indexed dataset is described in leaksear.ch metadata as allegedly stolen in 2020 and later posted for sale on BreachForums in 2022, with the breach date listed as January 1, 2020 (leaksear.ch metadata). The U.S. Department of Justice has described BreachForums as a marketplace used to buy, sell, and trade hacked or stolen data since March 2022 (www.justice.gov).
Public reporting gives useful but incomplete context. In September 2018, CGTN reported that SF Express responded to claims about 300 million customer records offered on a dark web forum, and that the company said it had reported the matter to authorities while saying the alleged leak did not include goods information, tracking numbers, or delivery times (news.cgtn.com). In February 2023, Yicai reported allegations of a broader express-delivery data exposure involving data from e-commerce and courier platforms, and wrote that S.F. Holding and JD.com said they had not received relevant information when asked to verify authenticity (www.yicaiglobal.com). These reports do not establish the provenance of the 59.7 million-record dataset indexed by leaksear.ch.
What data was exposed
Leaksear.ch metadata identifies the searchable fields in the ShunFeng dataset as address, name, and phone (leaksear.ch metadata). Records also include city, district, and province fields as stored context, but those fields are not listed as searchable pivots (leaksear.ch metadata).
The supplied metadata does not list passwords, payment card data, tracking numbers, or package contents. The core exposure is still sensitive because it links a person or recipient to a phone number and a physical delivery address.
Why this matters
Names, phone numbers, and delivery addresses can support targeted smishing, fake-delivery notifications, courier impersonation, address confirmation scams, and doxxing. Security teams should watch for courier-themed lures that include real names or addresses, and affected individuals should treat unexpected shipment messages or payment requests with caution. If you used SF Express or received SF Express deliveries, check whether your name, phone number, or address appears in this leak before responding to shipment-related messages (leaksear.ch metadata).
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, name, and phone.
Sources
- SF Express: About SF
- United States Department of Justice: Justice Department Announces Arrest of the Founder of One of the World’s Largest Hacker Forums and Disruption of Forum’s Operation
- CGTN: SF Express responses to leak of 300 mln customer data
- Yicai Global: China Courier Shares Dip After Alleged Massive Data Breach