Full Report
In April 2026, the ultra-luxury hotel brand Aman was named by ShinyHunters as the target of a "pay or leak" extortion campaign, with the data allegedly obtained from their Salesforce CRM. The data was subsequently leaked publicly and contained over 200k unique email addresses. Whilst not present on all records, the data also included genders, physical addresses, phone numbers, nationalities, dates of birth, spouse names and VIP status codes.
Analysis Summary
# Incident Report: Aman Ultra-Luxury Hotels Salesforce Breach
## Executive Summary
In April 2026, the high-end hospitality brand Aman was targeted in a "pay or leak" extortion campaign by the threat actor group ShinyHunters. The breach resulted in the public exposure of over 215,000 unique records containing sensitive guest information, including PII and VIP status codes, allegedly exfiltrated from the company’s Salesforce CRM.
## Incident Details
- **Discovery Date:** April 2026
- **Incident Date:** April 2026
- **Affected Organization:** Aman Resorts
- **Sector:** Hospitality / Luxury Travel
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** April 2026 (exact time undisclosed)
- **Vector:** Targeted exploitation of Salesforce CRM environment.
- **Details:** Threat actors gained unauthorized access to the organization's Salesforce instance, though the specific method (e.g., credential stuffing, misconfigured API, or session hijacking) remains unconfirmed in public reporting.
### Lateral Movement
- **Details:** Evidence suggests movement within the Salesforce environment to aggregate guest data across multiple global properties.
### Data Exfiltration/Impact
- **Details:** Approximately 215,600 unique records were exfiltrated. ShinyHunters initiated a "pay or leak" extortion demand. Upon failure to pay, the data was leaked publicly.
### Detection & Response
- **How it was discovered:** Public claim of responsibility and extortion posting by the threat group ShinyHunters.
- **Response actions taken:** Data was indexed by "Have I Been Pwned" on May 1, 2026; affected individuals were advised to update passwords and monitor for identity theft.
## Attack Methodology
- **Initial Access:** Targeted Salesforce CRM access (Likely via compromised credentials or API token).
- **Persistence:** Not disclosed; likely temporary access during data harvesting.
- **Exfiltration:** Systematic export of CRM records.
- **Impact:** Financial extortion and Public Data Release.
## Impact Assessment
- **Financial:** Potential regulatory fines (GDPR/CCPA) and loss of high-net-worth individual revenue.
- **Data Breach:** Exposure of 215,600 unique email addresses and sensitive PII (dates of birth, spouse names, physical addresses, and phone numbers).
- **Operational:** Disruption of CRM integrity and marketing operations.
- **Reputational:** Significant impact due to the exposure of "VIP status codes," which identifies high-profile/celebrity clientele.
## Indicators of Compromise
- **Network indicators:** N/A (Cloud-based breach)
- **File indicators:** Database exports containing "Aman" guest records.
- **Behavioral indicators:** Unusual API call volume or mass export activity within the Salesforce platform originating from non-company IPs.
## Response Actions
- **Containment:** Likely rotation of Salesforce credentials and API keys.
- **Eradication:** Not explicitly detailed in report; assumed removal of unauthorized access points.
- **Recovery:** Customer notification and integration with identity monitoring services.
## Lessons Learned
- **Key Takeaways:** Even high-security luxury brands are vulnerable through third-party SaaS platforms like Salesforce.
- **Weaknesses:** Lack of sufficient monitoring for large-scale data exports in the CRM and potential lack of Multi-Factor Authentication (MFA) on service accounts.
## Recommendations
- **MFA Enforcement:** Mandatory phishing-resistant MFA for all Salesforce users and administrative accounts.
- **Data Loss Prevention (DLP):** Implement DLP policies within Salesforce to trigger alerts or block mass exports of guest data.
- **Access Reviews:** Conduct quarterly audits of Salesforce "Guest User" profiles and API permissions to ensure the principle of least privilege.
- **Encryption:** Use Shield Platform Encryption for sensitive fields like birth dates and VIP status within the CRM.