Yes — Ralph Lauren (ralphlauren.com) was breached. The fashion retailer now appears on Have I Been Pwned with 139,903 accounts from a June 2026 ShinyHunters “pay or leak” extortion campaign targeting the company’s Salesforce instance.
Reporting from TechNadu describes hundreds of gigabytes of allegedly stolen data published after ransom demands — including customer PII, purchase records, and documents tied to unreleased products.
We scanned ralphlauren.com to assess email and domain security posture after this retail CRM leak.
What Happened
According to Have I Been Pwned and TechNadu:
- June 11, 2026 — ShinyHunters listed Ralph Lauren in a pay-or-leak extortion campaign.
- The group claimed customer PII, purchase and transaction records, and planning documents for unreleased collections.
- 139,903 unique email addresses were exposed, along with names, phone numbers, genders, and age groups.
- ShinyHunters subsequently published hundreds of gigabytes of data allegedly sourced from Ralph Lauren’s Salesforce environment.
- HIBP added the breach on June 18, 2026.
This incident fits a broader 2026 ShinyHunters pattern of targeting cloud CRM platforms — the same playbook documented against Infinite Campus, Berkadia, and CFGI.

Breach Impact at a Glance
| Field | Detail |
|---|---|
| Victim | Ralph Lauren (ralphlauren.com) |
| Sector | Fashion retail |
| Threat actor | ShinyHunters |
| Source system | Salesforce (alleged) |
| Accounts affected | 139,903 |
| Claim date | June 11, 2026 |
| Added to HIBP | June 18, 2026 |
| Data types | Emails, names, phones, genders, age groups, purchase data |
Data at Risk
Exposed records may include:
- Customer email addresses and phone numbers
- Names, genders, and age groups for targeted marketing fraud
- Purchase and transaction history useful for refund and gift-card scams
- Alleged unreleased product planning documents — competitive and brand-reputation risk
Retail breaches often trigger a wave of fake order confirmations, refund phishing, and loyalty-program scams referencing real purchase history.

Independent Cybersecurity Audit
We ran an EmailMeNow Cybersecurity Audit of ralphlauren.com on July 5, 2026:
| Domain | Overall | Identity | Transport | Website | Risk |
|---|---|---|---|---|---|
| ralphlauren.com | 54% | 50% | 15% | 45% | Average |
Key findings:
- 54% overall (Average) — below the 100% ideal for a global retailer handling customer accounts at scale.
- 50% Identity & Spoofing — partial DMARC posture; spoofed
@ralphlauren.comorder and refund emails may reach customers post-leak. - 15% Transport Security — no effective MTA-STS enforcement or TLS-RPT reporting.
- 45% Website Security — public-site header gaps compound customer phishing risk.
Audit link: ralphlauren.com audit
Priority Actions
- Treat unsolicited Ralph Lauren refund, loyalty, or order-update emails as suspicious — verify at ralphlauren.com directly.
- Check Have I Been Pwned if you hold a Ralph Lauren account.
- Retailers should audit Salesforce API tokens, session policies, and MFA on CRM admin accounts.
- See hospitality & retail breach trends and HIBP 2026 tracker.
Sources: HIBP — Ralph Lauren · TechNadu — Ralph Lauren ShinyHunters breach · EmailMeNow audit — ralphlauren.com