Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Salesforce data breach. Show all posts
Scattered Lapsus$ Hunters
Data Breach Qantas dark web leak Qantas data breach Qantas ransomware attack Salesforce data breach Scattered Lapsus$ Hunters

5 Million Qantas Travellers’ Data Leaked on Dark Web After Global Ransomware Attack

 

Personal data of around five million Qantas passengers has surfaced on the dark web after the airline fell victim to a massive ransomware attack. The cybercriminal group, Scattered Lapsus$ Hunters, released the data publicly when their ransom demands went unmet.

The hackers uploaded the stolen files on Saturday, tagging them as “leaked” and warning, “Don’t be the next headline, should have paid the ransom.”

The compromised information reportedly includes email addresses, phone numbers, dates of birth, and frequent flyer membership details from Qantas’ customer records. However, the airline confirmed that no financial data, credit card details, or passport numbers were exposed in this breach.

The cyberattack is part of a larger global campaign that has impacted 44 organisations worldwide, with up to a billion customer records potentially compromised. The infiltration occurred through a Salesforce database breach in June, extending from April 2024 to September 2025.

Cyber intelligence expert Jeremy Kirk from Intel 471 said the attackers are a long-established criminal network with members operating across the US, UK, and Australia.
He noted: “This particular group is not a new threat; they've been around for some time.”
Kirk added: “They're very skilled in knowing how companies have connected different systems together.”

Major global brands such as Gap, Vietnam Airlines, Toyota, Disney, McDonald’s, Ikea, and Adidas were also affected by the same campaign.

While Qantas customers’ financial data was not exposed, experts have warned that the leaked personal details could be exploited for identity theft and phishing scams.
Kirk cautioned: “These days, a lot of threat groups are now generating personalised phishing emails.”
He continued: “They're getting better and better at this, and these types of breaches help fuel that underground fraudster economy.”

Qantas has since launched a 24/7 customer support line and provided specialist identity protection assistance to those affected.
A company representative stated, “We continue to offer a 24/7 support line and specialist identity protection advice to affected customers.”

In July, Qantas secured a permanent court order from the NSW Supreme Court to block any unauthorised access, sharing, or publication of the stolen data.

Salesforce, whose database was infiltrated, confirmed that it would not negotiate or pay ransom demands, stating: “We will not engage, negotiate with, or pay any extortion demand.” The company also clarified that its platform itself remained uncompromised and that it continues to work closely with affected clients.

A Qantas spokesperson added: “With the help of specialist cyber security experts, we are investigating what data was part of the release.”
They continued: “We have also put in place additional security measures, increased training across our teams, and strengthened system monitoring and detection since the incident occurred.”
Read more »
Scattered Lapsus$ Hunters
Data Breach Qantas Qantas dark web leak Qantas ransomware attack Salesforce data breach Scattered Lapsus$ Hunters

5 Million Qantas Travellers’ Data Leaked on Dark Web After Global Ransomware Attack

 

Personal data of around five million Qantas passengers has surfaced on the dark web after the airline fell victim to a massive ransomware attack. The cybercriminal group, Scattered Lapsus$ Hunters, released the data publicly when their ransom demands went unmet.

The hackers uploaded the stolen files on Saturday, tagging them as “leaked” and warning, “Don’t be the next headline, should have paid the ransom.”

The compromised information reportedly includes email addresses, phone numbers, dates of birth, and frequent flyer membership details from Qantas’ customer records. However, the airline confirmed that no financial data, credit card details, or passport numbers were exposed in this breach.

The cyberattack is part of a larger global campaign that has impacted 44 organisations worldwide, with up to a billion customer records potentially compromised. The infiltration occurred through a Salesforce database breach in June, extending from April 2024 to September 2025.

Cyber intelligence expert Jeremy Kirk from Intel 471 said the attackers are a long-established criminal network with members operating across the US, UK, and Australia.
He noted: “This particular group is not a new threat; they've been around for some time.”
Kirk added: “They're very skilled in knowing how companies have connected different systems together.”

Major global brands such as Gap, Vietnam Airlines, Toyota, Disney, McDonald’s, Ikea, and Adidas were also affected by the same campaign.

While Qantas customers’ financial data was not exposed, experts have warned that the leaked personal details could be exploited for identity theft and phishing scams.
Kirk cautioned: “These days, a lot of threat groups are now generating personalised phishing emails.”
He continued: “They're getting better and better at this, and these types of breaches help fuel that underground fraudster economy.”

Qantas has since launched a 24/7 customer support line and provided specialist identity protection assistance to those affected.

A company representative stated, “We continue to offer a 24/7 support line and specialist identity protection advice to affected customers.”

In July, Qantas secured a permanent court order from the NSW Supreme Court to block any unauthorised access, sharing, or publication of the stolen data.

Salesforce, whose database was infiltrated, confirmed that it would not negotiate or pay ransom demands, stating: “We will not engage, negotiate with, or pay any extortion demand.” The company also clarified that its platform itself remained uncompromised and that it continues to work closely with affected clients.

A Qantas spokesperson added: “With the help of specialist cyber security experts, we are investigating what data was part of the release.”
They continued: “We have also put in place additional security measures, increased training across our teams, and strengthened system monitoring and detection since the incident occurred.”
Read more »
ShinyHunters
Adidas data breach Allianz Life breach Data Breach LVMH hack Qantas cyberattack Salesforce data breach ShinyHunters

ShinyHunters’ Voice Phishing Attacks Target Salesforce Users, Breaches Hit Qantas, LVMH, Adidas, and Allianz

 

A recent wave of high-profile data breaches affecting global brands such as Qantas, Allianz Life, LVMH, and Adidas has been traced to the ShinyHunters extortion group. The group has been exploiting voice phishing tactics to compromise Salesforce CRM instances, according to Google’s Threat Intelligence Group (GTIG).

In June, GTIG reported that a threat actor tracked as UNC6040 was conducting sophisticated social engineering campaigns targeting Salesforce users. The attackers posed as IT support over phone calls, directing victims to the Salesforce connected app setup page and instructing them to enter a “connection code.” This action granted access to a malicious version of Salesforce’s Data Loader OAuth app. In some cases, the Data Loader tool was disguised as “My Ticket Portal” to appear legitimate.

While most attacks involved vishing (voice phishing), credentials and MFA tokens were also stolen through fake Okta login pages. Around this time, several companies disclosed breaches involving third-party customer service or cloud CRM systems.

LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co. confirmed unauthorized access to customer databases, with Tiffany Korea stating the breach stemmed from “a vendor platform used for managing customer data.” Similarly, Adidas, Qantas, and Allianz Life reported incidents linked to external systems. Allianz Life confirmed that on July 16, 2025, a “malicious threat actor gained access to a third-party, cloud-based CRM system used by Allianz Life Insurance Company of North America.”

Although Qantas has not confirmed whether Salesforce was involved, local media reports claim the stolen data came from its Salesforce instance. Court filings also reveal that the attackers targeted “Accounts” and “Contacts” — both native Salesforce database objects.

BleepingComputer has since verified that all affected companies were targeted as part of the same campaign highlighted by Google. So far, the breaches have not resulted in public data leaks, with ShinyHunters allegedly attempting private email extortion. Experts warn that if these efforts fail, mass data leaks similar to the group’s previous Snowflake incidents could follow.

"We have not identified any data leak sites associated with this activity," said Genevieve Stark, Head of Cybercrime and Information Operations Intelligence Analysis at GTIG. "It is plausible that the threat actor intends to sell the data instead of sharing it publicly. This approach would align with prior ShinyHunters Group activity."

Google notes that it is tracking these incidents under separate designations: UNC6040 for the initial breaches and UNC6240 for the subsequent extortion attempts.

The ShinyHunters group has long been associated with large-scale data theft and extortion schemes. Their methods sometimes overlap with those used by Scattered Spider (UNC3944), another notorious hacking group targeting sectors like aviation, retail, and insurance. While Scattered Spider typically conducts full network breaches — sometimes deploying ransomware — ShinyHunters often focus on cloud-based platforms and web applications.

Some security researchers believe there is significant crossover between UNC6040/UNC6240 and UNC3944, with both groups potentially sharing members or operating within the same online circles. The network is also suspected to overlap with “The Com,” a cybercriminal collective of English-speaking hackers.

Theories suggest that ShinyHunters may operate as an extortion-as-a-service model, conducting extortion campaigns for other hacking groups in exchange for a profit share. The group has been tied to past breaches at PowerSchool, Oracle Cloud, Snowflake, AT&T, Wattpad, and others. Even after multiple arrests of individuals linked to the name, fresh attacks continue, with the group often identifying itself as a “collective.”

Salesforce maintains that its systems remain uncompromised, with the breaches resulting from social engineering targeting customer accounts rather than platform vulnerabilities.

"Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform… customers also play a critical role in keeping their data safe — especially amid a rise in sophisticated phishing and social engineering attacks," the company told BleepingComputer.

 
Read more »
Subscribe to: Comments (Atom)