14.10.2025
2 min
489
Hackers have posted the names, phone numbers, dates of birth, email addresses and loyalty program numbers of nearly six million Qantas customers on the dark web. Qantas says that financial data (passwords, cards, IDs) was not compromised, but the information published is sufficient for phishing and social engineering; the company has filed a lawsuit and will seek to restrain the distribution of the data through a court order in the NSW Supreme Court.
What happened: Hackers associated with a group called Scattered Lapsus$ Hunters (reportedly) posted files containing Qantas customer data online after an incident on a third-party platform in early July.
Scope and nature of the leak: ~6 million records of personal information (names, dates of birth, phone numbers, email addresses, frequent-flyer numbers). Qantas insists that payment details and passwords were not stolen.
Impact on users: These data sets provide fraudsters with material for targeted phishing campaigns, call schemes, and social engineering to recover/intercept access.
Company response: Qantas filed a lawsuit against “unknown individuals,” Salesforce publicly stated that it would not pay the ransom or negotiate with the demands; law enforcement and experts (including Troy Hunt) confirmed the leak.
Broader context: The attack also affected other companies integrated with Salesforce (including Disney, Google, IKEA, Toyota, McDonald’s, Air France, KLM), highlighting the risks to supply chains and third-party platforms.
The incident begins with a hack or compromise of a third-party platform through which the attackers gained access to data related to Qantas. Such supply chains (third-party/SaaS integrations) have long been considered a “gateway” for sophisticated campaigns: if one service is compromised, attackers can access the data of many customers of that service. The NSW court order attempts to legally restrict access to the leaked files, but in practice the data has already reached the darknet, and its distribution is difficult to completely stop.
The Qantas incident is another reminder: companies need to thoroughly check the security of third parties, minimize the amount of sensitive data stored in external services, and inform customers quickly. Users should increase their vigilance: change (if not already done) passwords in related services, enable multi-factor authentication (not SMS-MFA, but applet/key/token), carefully check suspicious emails and calls, and subscribe to services like Have I Been Pwned for leak alerts.
