The leak—containing millions of customer records from Qantas, Vietnam Airlines, and four other major corporations—marks the latest phase of an ongoing extortion campaign that has so far resisted law enforcement crackdowns.

The data dump appeared late on October 10, 2025, just hours after the FBI and France’s BL2C cybercrime unit seized BreachForums.hn, a Clearnet extortion site linked to the same group. Despite this takedown, authorities were unable to disable the onion version of the portal, which remains operational and is now being used to distribute the stolen information—alongside a new Clearnet domain. The attackers had previously warned that if ransom demands were ignored, they would publicly release the compromised data.

Figure 1. Salesforce Client Data.

Companies in the First Leak

• Qantas Airways
• Vietnam Airlines
• Albertsons
• Gap

Qantas Airways, Australia’s largest airline, confirmed that 5.7 million customer records were compromised in a June 2025 breach tied to a Salesforce-integrated third-party call center platform. Exposed details include names, birth dates, email addresses, phone numbers, and frequent flyer numbers—but no financial or passport data. Despite a court injunction restricting data dissemination, the full dataset has now surfaced online. Figure 1 shows Salesforce Client Data.

Vietnam Airlines also suffered a breach via the same Salesforce vector. Data posted to Have I Been Pwned shows 7.3 million unique email addresses exposed, alongside full names, dates of birth, loyalty program details, and contact numbers. The airline’s breach, initially from June, was added to HIBP’s database on October 11, one day after the leak.

Other affected firms—Albertsons, Gap, FujiFilm, and Engie Resources—have also been listed in the dump. While their data specifics are still unverified, all were labeled “non-compliant” by the threat actors, indicating they refused to pay ransom demands.

Salesforce, meanwhile, maintains that its core platform remains secure. The company stated that these incidents stem from customer misconfigurations, third-party integrations, or legacy access tokens, not from any vulnerability in Salesforce systems. It reiterated its policy against negotiating with cybercriminals and said it is assisting affected clients.

The Scattered Lapsus$ Hunters group continues to operate through their dark web site and Telegram channels, promising additional leaks in the coming weeks. Based on their own claims, as many as 40 more companies could soon see their data publicly released.

References:

1. https://cyberinsider.com/scattered-lapsus-hunters-leak-first-wave-of-salesforce-victim-data/

Cite this article:

Keerthana S (2025), Lapsus$ Hunters Leak Initial Batch of Data from Salesforce Breach Victims, AnaTechMaz, pp.167