ShinyHunters Leak Alleged Data from Qantas, Vietnam Airlines and Other Major Firms

The hackers, identifying themselves as “Scattered Lapsus$ Hunters,” a collective said to combine elements of Scattered Spider, Lapsus$, and ShinyHunters, have now published data allegedly belonging to 6 of the 39 targeted companies.

The companies named in the leak are as follows:

1. Fujifilm
2. GAP, INC.
3. Vietnam Airlines
4. Engie Resources
5. Qantas Airways Limited
6. Albertsons Companies, Inc.

What’s In The Data

While the impacted companies are the only ones who can verify the breach, Hackread.com has carried out an in-depth analysis of the leaked data, and it looks legitimate. In all 6 leaks, the record contains personal details of customers, business, including email addresses, full names, addresses, passport numbers, phone numbers,

Qantas Airways Limited

The dataset leaked from Qantas Airways Limited is substantial in size, weighing in at 153 GB. The files are in JSON format and contain over 5 million records. The data was published on October 10, 2025, and marked as public by the threat actors.

This dataset combines personally identifiable information (PII) with customer loyalty and internal business data, making it a serious exposure if authentic. Here’s what the leaked data contains:

1. Gender
2. Country
3. Full name
4. Date of birth
5. Points balance
6. Currency used (AUD)
7. Frequent flyer number
8. Frequent flyer join and anniversary dates
9. Title or salutation (for example, Mrs, Mr)
10. Frequent flyer tier and status credits
11. Phone numbers (main, alternate, home, business, mobile)
12. Email addresses (primary, alternate, business, home)
13. Account creation and modification timestamps
14. Mailing address details (city, postal code, latitude, longitude, etc.)
15. Account or customer ID numbers (internal Salesforce and Qantas IDs)
16. Profile preferences (for example, meal, seat, marketing preferences, newsletters)
17. Membership and loyalty details (bronze tier, expiry, status credits till next level)
18. Internal CRM fields (OwnerId, RecordTypeId, CreatedBy, etc.)
19. Links to internal reports and templates (for example, “QCC Frequent Flyer Report”, “QCC Lounges Report”)
20. Customer notes and remarks fields
21. Geolocation data (latitude and longitude of mailing address)
22. Activity and contact tracking metadata (last modified, last viewed, etc.)
23. Internal flags and status indicators (HasOptedOutOfEmail, DoNotCall, Active, Sensitive_Contact, etc.)

In its security advisory published on 12 October 2025, the company confirmed that data from 5.7 million of its customers was published online following a major cyberattack. It is worth noting that in July 2025, the company had also confirmed a major data breach connected to a third-party vendor, but did not disclose its name at the time.

Vietnam Airlines

Vietnam Airlines’ dataset is 63.62 GB, also in JSON format, with more than 23 million records. Like the others, it was made public on October 10, 2025. The release, if authentic, represents one of the larger leaks attributed to this round of breaches.

These record includes both personally identifiable information (PII) and corporate account data, along with internal airline CRM fields and loyalty program identifiers such as the frequent flyer number. Here is a list of the types of data contained in the Vietnam Airlines record:

1. Age
2. Gender
3. Full name
4. Phone number
5. Currency used
6. Email address
7. Frequent flyer number
8. Date of birth and year of birth
9. Owner and system metadata
10. Internal account and contact IDs
11. Business or cargo-related fields
12. Account type and record classification
13. Corporate or business role information
14. Corporate and tax information fields
15. Company-related email and phone fields
16. Last travel and travel-related tracking fields
17. Country and city fields (though some are blank)
18. Residential address (street and partial location details)

Albertsons Companies, Inc.

The leak associated with Albertsons Companies, Inc. is relatively smaller, totalling 2 GB of JSON files. According to the listing, it contains over 672,000 records. The data was published on October 10, 2025, and labelled as public.

GAP, INC.

The dataset tied to GAP, INC. is 1 GB in size, formatted in JSON, and reportedly holds more than 224,000 records. The information was uploaded on October 10, 2025, with a public status tag, suggesting it is accessible to anyone through the leak portal.

Fujifilm

The Fujifilm data leak appears smaller in comparison, listed at 155 MB and in CSV format. Despite its smaller size, the dataset still allegedly includes around 224,000 records. It too was made public on October 10, 2025.

Engie Resources

The dataset from Engie Resources measures 3 GB and is formatted as JSON files. It is said to include more than 537,000 records, published publicly on October 10, 2025.

Total Number of Companies Impacted in the Breach

The full list of 39 companies identified as victims in the alleged Salesforce data breach:

1. KFC – 1.3GB
2. ASICS – 9GB
3. UPS – 91.34GB
4. IKEA – 13GB
5. GAP, INC. – 1GB
6. Petco – 9.9GB
7. Cisco – 5.6GB
8. McDonald’s – 28GB
9. Cartier – 1.4GB
10. Adidas – 37GB
11. Fujifilm – 155MB
12. Instacart – 32GB
13. Marriott – 7GB
14. Walgreens – 11GB
15. Pandoranet – 8.3GB
16. Chanel – 2GB
17. CarMax – 1.7GB
18. Disney/Hulu – 36GB
19. TransUnion – 22GB
20. Aeroméxico – 172.95GB
21. Toyota Motor Corporation – 64GB
22. Stellantis – 59GB
23. Republic Services – 42GB
24. TripleA (aaacom) – 23GB
25. Saks Fifth – 1.1GB
26. Albertsons (Jewel Osco, etc) – 2GB
27. Engie Resources (Plymouth) – 3GB
28. 1-800Accountant – 18GB
29. HMH (hmhcocom) – 88GB
30. Instructurecom – Canvas – 35GB
31. Google Adsense – 19GB
32. HBO Max – 3.2GB
33. FedEx – 1.1TB
34. Qantas Airways – 153GB
35. Vietnam Airlines – 63.62GB
36. Air France & KLM – 51GB
37. Home Depot – 19.43GB
38. Kering (Gucci, Balenciaga, Brioni, AlexMcQ) – 10GB

What’s Next?

While more data was initially expected, the hackers announced on Telegram that they will not be releasing any additional information, stating, “A lot of people are asking what else will be leaked. Nothing else will be leaked. Everything that was leaked was leaked, we have nothing else to leak, and obviously, the things we have cannot be leaked for obvious reasons.” This statement leaves the future of the remaining data uncertain.

However, what has already been leaked is damaging enough. If verified, the release of these databases could have serious consequences across several industries. Airlines, retailers, and energy companies store large volumes of sensitive customer and business information, including personal details, contact data, and internal records.

The exposure of such data puts affected individuals at risk of identity theft and fraud, while also creating potential reputational and financial damage for the companies involved. Since these leaks are linked to earlier claims about a Salesforce vulnerability, the incident also raises questions about the security practices of third-party platforms that manage and store such extensive data.