The data has landed where it was always going to land. Personal information stolen from Qantas in a mid-2025 cyberattack has now been released by hackers on the dark web, marking one of Australia’s most serious data incidents to date. For affected customers (roughly 5.7 million of them), this is the nightmare scenario that plays out in slow motion: first the breach notification, then the waiting, and finally the inevitable dump where your personal details become just another torrent file for cybercriminals to download.
Let’s be crystal clear about what happened here. This isn’t a story about Qantas getting hacked. On 30 June 2025, Qantas detected unusual activity on a third-party platform used by one of its contact centres. That “third-party platform” is the real protagonist in this disaster: it’s Salesforce, or more specifically, the sprawling ecosystem of OAuth-connected applications that companies blindly integrate without properly understanding the security implications.
The Scattered Lapsus$ Hunters Playbook
Qantas was one of six companies whose data was leaked on 11 October, alongside Vietnam Airlines, Albertsons Companies, GAP, Fujifilm, and Engie Resources. The timing wasn’t coincidental. Approximately 39 high-profile organizations, including Google, Cisco, FedEx, Disney/Hulu, Toyota, Marriott, and IKEA, were reportedly impacted by an incident linked to the breach of extensive customer records.
This is modern extortion at scale. The attackers established a dedicated leak site on the dark web, set deadlines, and started releasing data when their ransom demands weren’t met.The data was first made available on a clear-web hacking forum for approximately $27, then about an hour later was released for free on the dark web. That’s the perverse economics of stolen data: it depreciates faster than a new car driven off the lot.
What’s Actually Been Compromised
The exposed data includes full names, email addresses, physical addresses, phone numbers, dates of birth, gender, frequent flyer numbers, status tiers, and points balances.Qantas has confirmed that no identity documents, credit card details, passwords, or PIN numbers were compromised, and the hackers did not gain access to individual Frequent Flyer accounts.
That’s the official line, and while it’s technically reassuring, it misses the forest for the trees. The information that has been leaked is precisely what identity fraudsters need for social engineering attacks, account takeovers at other services, and targeted phishing campaigns. Your date of birth, address, and phone number: that’s the holy trinity for bypassing security questions and convincing call centre staff you are who you say you are.
The Salesforce OAuth Token Disaster
Here’s where the technical details become damning. Attackers associated with the Scattered Lapsus$ Hunters group have claimed to have stolen extensive Salesforce records from hundreds of companies by compromising OAuth tokens linked to third-party integrations. OAuth tokens are essentially digital skeleton keys that allow applications to access your data without constantly re-authenticating. When implemented properly, they’re a security feature. When implemented poorly (or when the third-party applications themselves are compromised), they become a vulnerability multiplier.
The attackers didn’t need to hack Salesforce directly. They compromised the integrations, obtained the OAuth tokens, and suddenly had legitimate-looking access to customer databases across hundreds of companies. It’s the supply chain attack we’ve been warning about for years, except instead of SolarWinds or Log4j, the vector is the sprawling web of SaaS integrations that every enterprise thinks makes them “agile” and “cloud-native.”
Corporate Response: Too Little, Too Late, Too Legal
While Qantas has obtained legal protections, critics say the airline’s response has been slow and inadequate. The company waited until 30 June to detect the breach, took months to notify customers, and now we’re in October, watching the data circulate freely. That’s not a security incident response: that’s a legal liability management exercise.
Law firms have alleged Qantas breached privacy laws by failing to adequately protect customer information, though any class action would likely face challenges given the data wasn’t stolen from Qantas directly in Australia, with Qantas potentially arguing a third party was responsible for protecting it.
There’s the rub. When your customer data is stolen because your vendor’s integration partner’s OAuth token was compromised, who’s actually responsible? In the eyes of affected customers, it doesn’t matter. They gave their data to Qantas, not to Salesforce, and certainly not to some AI chatbot integration they’ve never heard of. But in the eyes of privacy law and corporate liability, it’s suddenly very complicated.
The Real Questions No One’s Asking
Why was a contact centre integration able to access 5.7 million customer records? What principle of least privilege governance allowed a third-party OAuth token to have read access to essentially the entire customer database? Did Qantas conduct security audits of these integrations? Did they have the contractual right to audit them? Did Salesforce?
These are the unsexy infrastructure questions that don’t make headlines but actually matter. The problem with modern cloud architecture is that it encourages this promiscuous data sharing in the name of “seamless integration” and “omnichannel customer experience.” Every new integration is another potential attack vector, but we’ve built a technology culture where saying “no” to integrations is seen as backwards thinking.
What This Means For You
If you’ve been a Qantas customer, assume your data is now public. Enable two-factor authentication everywhere you can. Be extremely suspicious of any calls, texts, or emails claiming to be from Qantas or any other service: the attackers now have enough information about you to make their phishing attempts sound disturbingly legitimate.
And here’s the uncomfortable truth: this will happen again. Qantas won’t be the last Australian company caught in a supply chain data breach. Until we fundamentally rethink how we architect cloud services (with proper segmentation, least-privilege access, and actual security audits of third-party integrations), we’re just waiting for the next OAuth token to leak and the next database to hit the dark web.
The data is out there now. It’s not coming back. The only question is what happens next time, and whether we’ll have learned anything at all.
