A ShunFeng/SF Express dataset indexed by leaksear.ch contains 125,712,669 Chinese courier customer records, exposing recipient names, phone numbers, and full shipping addresses (leaksear.ch metadata). The source metadata describes the data as allegedly stolen in 2020 and offered for sale on BreachForums; U.S. prosecutors have separately described BreachForums as a marketplace for cybercriminals to buy, sell, and trade hacked or stolen data (leaksear.ch metadata, www.justice.gov).
What happened
SF Express, also known as ShunFeng, is a Shenzhen-headquartered logistics provider established in 1993; the company says it operates express, freight, cold chain, pharmaceutical, intra-city, supply chain, and international logistics services (www.sf-express.com). leaksear.ch indexed the ShunFeng dataset on May 23, 2026, and its metadata lists January 1, 2020 as the breach date (leaksear.ch metadata).
At this stage, the available leak metadata does not identify the intrusion path or confirm whether the records came from a direct SF Express system, a third-party logistics partner, scraping, or aggregation. The BreachForums offering should therefore be read as an allegation unless corroborated by additional public reporting (leaksear.ch metadata).
Public reporting confirms that SF Express customer data has been the subject of prior leak allegations: CGTN reported in September 2018 that data for about 300 million SF Express customers was being sold on the dark web and that SF Express said it had reported the matter to authorities, while Yicai reported in February 2023 on broader allegations involving express delivery order data from multiple Chinese platforms (news.cgtn.com, www.yicaiglobal.com). Those reports provide context for recurring courier-data exposure claims, but they do not prove the 125.7 million-record dataset is the same as any earlier incident.
What data was exposed
leaksear.ch indexing metadata identifies searchable fields for this dataset as address, country, name, and phone. Other stored fields include city, dist, district, and province (leaksear.ch metadata).
In plain English, the records appear to connect a recipient identity to a phone number and a precise delivery location, including province, city, district, and full shipping address data where present (leaksear.ch metadata). Passwords, payment card numbers, parcel contents, tracking numbers, and delivery times are not listed in the leaksear.ch metadata for this dataset (leaksear.ch metadata).
Why this matters
Name-phone-address combinations are enough for believable parcel-delivery phishing, courier impersonation, and social-engineering attempts tied to real addresses. For security teams, the dataset provides pivots for identifying exposed employees, executives, and facilities in China-linked logistics or e-commerce workflows; it should not be treated as evidence of account compromise by itself (leaksear.ch metadata).
Organizations should watch for SMS and messaging campaigns that reference missed deliveries, address changes, customs fees, or delivery verification, because the exposed fields are well suited to those lures (leaksear.ch metadata). Readers who may have sent or received SF Express shipments can check leaksear.ch using the searchable phone, name, address, or country fields to see whether their information appears in this leak (leaksear.ch metadata).
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include address, country, name, and phone.
Sources
- U.S. Department of Justice: Justice Department Announces Arrest of the Founder of One of the World’s Largest Hacker Forums and Disruption of Forum’s Operation
- SF: About SF
- CGTN: SF Express responses to leak of 300 mln customer data
- Yicai Global: China Courier Shares Dip After Alleged Massive Data Breach