Aman Data Breach: 215K Guest Records Leaked (2026)

Overview

In April 2026, the renowned ultra-luxury hotel brand Aman was targeted by the threat actor group ShinyHunters, who claimed to have stolen data from Aman’s Salesforce CRM instance. The attackers initiated a “pay or leak” extortion campaign, and when the demands were not met, they publicly leaked over 215,563 records. This breach exposes a trove of highly sensitive personal data belonging to Aman’s affluent clientele, raising severe risks of targeted phishing, identity theft, and financial fraud.

What Was Exposed

The leaked dataset includes an alarming variety of personal identifiers, far beyond basic contact information. For each of the 215,563 individuals, the following data was compromised:

• Email Addresses: Primary vector for phishing and account takeover attempts.
• Names and Genders: Enables highly personalized social engineering.
• Phone Numbers: Opens the door to SMS-based phishing (“smishing”) and vishing attacks.
• Physical Addresses: Increases risk of physical mail fraud, SIM swapping, or even doxxing.
• Dates of Birth: A critical component for identity theft, often used in security questions and credit applications.

While full credit card numbers or Social Security numbers were not reported in the original leak, the combination of DOB, home address, and name is frequently sufficient for fraudsters to initiate account takeovers on other platforms or apply for credit lines in victims’ names.

How the Breach Happened

ShinyHunters is notorious for targeting cloud-based customer relationship management (CRM) platforms. In this case, they claimed to have accessed Aman’s Salesforce CRM instance. Although the exact method of initial access is not public, common vectors include compromised employee credentials (phishing or credential stuffing), misconfigured APIs, or third-party application vulnerabilities. The breach underscores a growing trend where attackers bypass perimeter defenses entirely to target the databases where companies store their most valuable customer data.

Account Takeover Risks

This breach is a goldmine for credential stuffing attacks. With valid email addresses and personal details, attackers can attempt to log into other high-value accounts the victim might hold - frequent flyer programs, luxury retail accounts, private banking portals, or even personal email. Victims who reuse passwords across services are at the highest immediate risk. Anyone affected should immediately enable multi-factor authentication on all accounts and use a password manager to generate unique, complex passwords.

How to Check If You’re Affected

The breach has been added to Have I Been Pwned (HIBP), a widely trusted notification service. To check if your data is included:

1. Visit haveibeenpwned.com.
2. Enter the email address you may have used with Aman.
3. If a breach is reported, HIBP will display “Aman” as a source.

Additionally, if you have previously stayed at or booked with Aman, you may receive a direct notification from the hotel chain. Be cautious of any unsolicited emails or calls claiming to be from Aman support, as they could be part of a follow-on phishing campaign.

What to Do Right Now

Given the high severity and the data types exposed, immediate action is essential:

• Secure Your Email: Change the password for the email account linked to your Aman reservation. Enable MFA.
• Freeze Your Credit: Given the presence of DOBs and addresses, consider placing a freeze on your credit files with the three major bureaus (Experian, Equifax, TransUnion) to prevent new account fraud.
• Be Skeptical of Contact: Do not click links or download attachments in unsolicited emails or texts claiming to be from Aman. Verify any communication by calling the property directly using a known phone number.
• Monitor for Phishing: Be alert for emails that reference your Aman stay, your address, or your personal details. Attackers now have the context to craft highly convincing, targeted messages.

Security Insight

This incident should serve as a stark warning to any business using integrated CRM platforms. A single credential exposure or misconfigured API can lead to the wholesale theft of a customer’s entire profile, not just a single datapoint. For luxury brands like Aman, the reputational damage is compounded by the expectation of privacy and security. The breach also highlights a critical disconnect: the company owning the customer relationship (Aman) may not be fully in control of the security posture of their CRM provider (Salesforce), making vendor risk assessment an absolute necessity.

Further Reading

• OpenSTAManager SQLi (CVE-2026-35470)
• OpenSTAManager SQL Injection (CVE-2026-28805)
• OpenSTAManager SQL Injection (CVE-2026-35168)
• All High Breaches
• Recent Data Breaches