Luxury hospitality chain Aman Resorts (aman.com) has been named as the latest victim of the prolific extortion crew ShinyHunters, with the group claiming exfiltration of more than 500,000 Salesforce records containing personally identifiable information. The breach, dated 18 April 2026 and surfaced publicly on 19 April 2026, carries a "FINAL WARNING: PAY OR LEAK" notice with a deadline of 21 April 2026.

What Happened

ShinyHunters listed Aman Resorts on its leak infrastructure on 19 April 2026, claiming initial compromise occurred one day earlier, on 18 April 2026. The listing frames the incident as a double-extortion operation: data has allegedly already been exfiltrated, and the group is threatening public release alongside additional "digital problems" for the Singapore-headquartered luxury hotel operator if payment is not received by 21 April 2026. The posting currently sits in its final-warning stage, indicating negotiations have either stalled or never started.

Aman Resorts operates a global portfolio of ultra-luxury properties catering to high-net-worth individuals, making any customer database exposure particularly sensitive from both a privacy and targeted-fraud perspective.

What Was Taken

According to the threat actor's own claims, the stolen dataset consists of over 500,000 Salesforce CRM records containing personally identifiable information. While the specific fields have not been enumerated publicly, typical hospitality-sector Salesforce instances store:

Given Aman's clientele, the reputational and spear-phishing risk attached to this dataset is disproportionate to its raw record count.

Why It Matters

ShinyHunters has re-emerged in 2025 and 2026 as a dominant force in Salesforce-adjacent data theft campaigns, frequently leveraging OAuth abuse, compromised third-party integrations, and social engineering of helpdesk staff to gain tenant access. An Aman Resorts compromise fits the group's established victimology: consumer-facing brands with large Salesforce-hosted customer datasets and strong incentives to pay quickly to avoid public disclosure.

For defenders across hospitality, travel, and luxury retail, the listing is a clear signal that ShinyHunters continues to work through high-value CRM targets and that Singapore-headquartered multinationals are squarely in scope.

The Attack Technique

No definitive intrusion vector has been confirmed by Aman Resorts at the time of writing. However, ShinyHunters' 2025 to 2026 campaigns have consistently relied on a narrow set of techniques against Salesforce environments:

Defenders should assume similar tradecraft until Aman confirms otherwise.

What Organizations Should Do

  1. Audit all connected apps and OAuth tokens inside Salesforce tenants; revoke any unused, unrecognized, or overly-scoped integrations.
  2. Enforce phishing-resistant MFA (FIDO2 or hardware keys) for every administrative and integration-capable Salesforce account.
  3. Restrict Salesforce API and Bulk API access by IP allowlist and enable Event Monitoring or Shield to alert on anomalous export volumes.
  4. Harden helpdesk verification procedures against vishing, including callback policies and out-of-band identity confirmation before any MFA reset or app approval.
  5. Run dark-web and leak-site monitoring for your domains, executive names, and loyalty program identifiers, and prepare customer notification templates in advance.
  6. Review incident response playbooks specifically for CRM data-theft extortion, including legal, PR, and regulator notification workflows under PDPA (Singapore) and GDPR.

Sources: Ransomware Group shinyhunters Hits: Aman Resorts (aman.com)