Vietnam Airlines hit by Salesforce CRM instance breach, exposes data of 7.3 Million customers

Vietnam Airlines, the national carrier of Vietnam, was hit by a cyberattack on their Salesformce instance that exposed sensitive customer information belonging to approximately 7.3 million passengers. 

The compromised data appeared on a dark web leak site operated by a hacker group calling itself Scattered LAPSUS$ Hunters.

The attack compromised the airline's Salesforce customer relationship management (CRM) account through social engineering techniques. The breach occurred in June 2025, but the stolen information remained undisclosed until October when the hacker group began publishing and selling the data on underground forums after their extortion attempts against Salesforce failed. 

The compromised dataset spans nearly five years of customer records, with the earliest entries dating back to November 23, 2020, and the most recent records from June 20, 2025. Independent security researchers who analyzed the leaked data identified approximately 8.1 million unique phone numbers and 7.4 million unique email addresses within the 63.62 gigabyte dataset, consistent with a large-scale customer CRM export. Structural markers within the archive, including Salesforce object identifiers, region tags, and loyalty program fields, match the CRM signatures observed across other victims in this campaign. The exposed data includes:

• Customer names
• Dates of birth
• Phone numbers
• Email addresses
• Residential addresses
• Loyalty program membership numbers

On October 13, 2025, a representative from VNCERT officially confirmed that Vietnam Airlines customer data was being actively listed for sale on hacker forums. Vietnam Airlines has not issued a public response about the data breach or provided information about security measures being implemented to protect affected customers.