What Happened in the Aman Data Breach?
In April 2026, ultra-luxury hotel brand Aman became the target of a data extortion campaign. A group identifying itself as ShinyHunters claimed responsibility for the attack. According to the claims, the group obtained guest data from Aman’s Salesforce customer relationship management system.
The Aman data breach followed a pattern seen in other recent extortion campaigns tied to Salesforce environments. Rather than deploying ransomware to lock systems, the attackers reportedly extracted data directly from the CRM platform. As a result, no encryption or system disruption appears to have occurred. Instead, the attackers pursued a “pay or leak” strategy, threatening to publish the stolen records unless Aman paid a ransom.
The data was ultimately leaked publicly, confirming that the extortion attempt did not result in a payment, or that the attackers released it regardless. This leak allowed researchers to verify the scope and content of the stolen information. Because the data appeared online, security researchers could confirm the breach was genuine rather than an unsubstantiated claim. The exact date unauthorized access to Aman’s Salesforce environment first occurred has not been publicly disclosed.
Who was affected?
The Aman data breach affected guests and clients associated with the luxury hotel brand. Given Aman’s global network of resorts and hotels, the exposed individuals likely include travelers from the United States and other countries. Anyone who provided personal information to Aman through bookings, loyalty programs, or customer service interactions could be affected.
Researchers confirmed that the leaked dataset contained more than 200,000 unique email addresses. This figure represents the number of distinct people impacted by the breach. However, the exact breakdown by country or customer type has not been publicly disclosed. Because Aman caters to an international, high-net-worth clientele, the exposure of VIP status codes and spouse names raises particular privacy concerns for its guests.
What Information Was Potentially Exposed?
The leaked dataset varied in completeness across records. In other words, not every affected person had every data type exposed. Still, the overall scope of information involved is significant given the sensitive nature of some fields.
- Email addresses
- Names
- Genders
- Physical addresses
- Phone numbers
- Nationalities
- Dates of birth
- Spouse names
- Language preferences
- VIP status codes
This combination of data creates meaningful risk for identity theft and targeted fraud. For example, a scammer armed with a person’s name, birth date, and physical address has enough detail to attempt account takeover or apply for credit in someone else’s name. Because the data also includes nationality and language preference, criminals could craft highly convincing, localized phishing messages.
In addition, the presence of spouse names and VIP status codes makes this breach especially useful for social engineering. Attackers often use these personal details to build trust before requesting money or further information. As a result, affected individuals should treat any unexpected contact referencing their Aman stay with heightened suspicion, even if it appears to come from a trusted source.
What is the company doing?
Aman has not publicly detailed every step of its response to this breach. However, the confirmation that stolen data originated from its Salesforce CRM suggests the company has investigated the source of the intrusion. Because the data was leaked publicly, Aman was unable to prevent public exposure once the extortion demand went unmet or was ignored.
Going forward, affected individuals should watch for official communication from Aman regarding remediation steps. Companies facing similar CRM-based breaches typically work to secure third-party platform access, rotate credentials, and review vendor security practices. Whether Aman is offering credit monitoring or identity protection services has not been publicly disclosed at this time.
What Should Affected Individuals Do?
Monitor Your Credit Reports
Because names, addresses, and birth dates were exposed, affected individuals should closely monitor their credit reports for signs of fraud. Regularly checking your credit report allows you to catch new accounts or inquiries you didn’t authorize.
You can request a free credit report from each of the three major credit bureaus. Reviewing these reports every few months, rather than just once, helps you spot suspicious activity early. If you notice anything unfamiliar, report it to the bureau immediately.
Watch for Phishing and Social Engineering Attempts
Given the personal details exposed in this breach, phishing attempts targeting Aman guests could appear highly convincing. Scammers may reference your stay, your spouse’s name, or your VIP status to seem legitimate.
Therefore, treat any unsolicited email or phone call referencing your Aman booking with caution. Avoid clicking links in unexpected messages, and instead contact Aman directly through official channels if you’re unsure about a communication’s authenticity.
Consider a Fraud Alert or Credit Freeze
Because this breach exposed dates of birth and physical addresses alongside names, affected individuals may want to place a fraud alert on their credit files. A fraud alert requires lenders to take extra steps to verify your identity before extending credit.
For stronger protection, you can also request a credit freeze, which restricts access to your credit report entirely. This makes it much harder for identity thieves to open new accounts using your information. Both options are free and can be requested directly from the credit bureaus.
Update Privacy Settings and Passwords
Since email addresses were exposed in large numbers, affected individuals should update passwords for any accounts linked to that email. Using a unique, strong password for each account reduces the risk of credential stuffing attacks.
In addition, enabling two-factor authentication adds another layer of protection. This step ensures that even if a password is compromised, unauthorized users cannot easily access your accounts.
Consult a Data Breach Attorney
If you were affected by the Aman data breach, it may be worth speaking with a data breach attorney about your options. An attorney can help you understand whether you qualify for compensation through a potential class action.
Because breach litigation often involves strict filing deadlines, seeking a free case evaluation sooner rather than later is a reasonable step. This ensures you understand your rights before any relevant statute of limitations passes.
