Aman Data Breach: 215K Guest Records Leaked (2026)

Overview

In April 2026, the cybercriminal group ShinyHunters published a database allegedly stolen from Aman, the ultra-luxury hotel brand known for its high-net-worth clientele. The data, claimed to be exfiltrated from Aman’s Salesforce CRM system, was offered in a “pay or leak” extortion campaign. When Aman did not meet the demands, the entire dataset of over 215,000 unique email addresses was leaked publicly. The breach is now indexed on Have I Been Pwned, allowing affected individuals to verify exposure. This incident highlights how CRM platforms handling VIP guest data are increasingly targeted by extortion groups like ShinyHunters, which has a track record of leaking stolen data when ransoms are not paid - as seen in other recent cybersecurity news.

What Was Exposed

The exposed dataset contains 215,563 unique email addresses. While not every record includes all fields, the compromised information includes:

• Email addresses (present on all records)
• Full names
• Phone numbers
• Physical addresses
• Dates of birth
• Genders
• Nationalities
• Spouse names
• VIP status codes

This combination of personally identifiable information (PII) and high-value CRM metadata creates a significant privacy risk for guests who expect discretion from a luxury brand.

Potential Impact

The severity of this breach is HIGH due to the sensitivity and completeness of the data. Email addresses and phone numbers enable targeted phishing attacks that appear legitimate because they reference specific booking details or VIP status. Physical addresses and dates of birth can be used for identity theft, including opening fraudulent accounts or credit lines. The inclusion of spouse names and nationality data makes social engineering attacks more convincing. For Aman’s high-profile clientele - including business leaders, celebrities, and government officials - this data leak could lead to doxxing, extortion, or reputational harm. Additionally, VIP status codes could be exploited to impersonate guests and gain unauthorized access to booking systems or hotel services.

Recommendations

1. Reset passwords for any account using the same email. If you reuse passwords across sites, change them immediately. Use a password manager to generate unique, complex passwords.
2. Enable two-factor authentication (2FA) on your email account and any accounts linked to the compromised email address. This prevents attackers from using stolen credentials.
3. Be vigilant against phishing. Do not click links or open attachments from unexpected emails referencing Aman bookings or VIP offers. Verify directly with the hotel.
4. Monitor your credit reports and financial accounts for signs of identity theft. Place a fraud alert with major credit bureaus if you see suspicious activity.
5. Consider freezing your credit if you believe your Social Security number or other sensitive data was exposed (not confirmed in this breach but always a precaution).
6. Use a data removal service to purge your information from people-search sites that may amplify this leaked data.

How to Check If You’re Affected

Visit haveibeenpwned.com and enter the email address you used with Aman. The site will show if that address appears in the Aman breach or any other known data leak. Since the breach includes 215,563 unique emails, there is a high probability that anyone who has stayed at an Aman property or interacted with their CRM is affected. You can also check the specific breach page at Aman Data Breach on HIBP.

Security Insight

This breach reveals that Aman’s Salesforce CRM lacked adequate access controls or data encryption at rest, allowing a single exfiltration to expose over 200,000 guest records. For a luxury brand serving ultra-high-net-worth individuals, failing to segment CRM data by guest tier or to implement strong API security is a critical oversight. Unlike similar breaches in the hospitality industry (e.g., Marriott’s Starwood breach), this incident involved active extortion rather than years of undetected compromise, suggesting the attackers exploited a known weakness rather than a sophisticated zero-day.

Further Reading

• OpenSTAManager SQLi (CVE-2026-35470)
• OpenSTAManager SQL Injection (CVE-2026-35168)
• OpenSTAManager SQL Injection (CVE-2026-28805)
• All High Breaches
• Recent Data Breaches