leaksear.ch has indexed a leak tied to Australian airline Qantas containing 5,216,527 records, about 5.2 million, with July 2, 2025 listed as the breach date (leaksear.ch metadata). Qantas said the incident involved a cybercriminal accessing a third-party customer servicing platform used by a Qantas contact centre, and later said 5.7 million customer records were stolen and data had been released online (www.qantasnewsroom.com.au, www.qantasnewsroom.com.au).
What happened
Qantas disclosed on July 2, 2025 that a cyber incident in one of its contact centres had impacted customer data. The airline said it detected unusual activity on a third-party platform, contained the system, and confirmed that Qantas operations and safety were not affected (www.qantasnewsroom.com.au).
The leaksear.ch source metadata attributes the dataset to ShinyHunters and describes it as exfiltrated in a ShinyHunters/UNC6040 voice-phishing attack against a third-party Salesforce-based customer service platform (leaksear.ch metadata). Public reporting later tied Qantas, Allianz Life, LVMH, and Adidas to a broader Salesforce data-theft wave, while noting that Qantas had not publicly confirmed Salesforce as the affected platform (www.bleepingcomputer.com). Google Threat Intelligence Group tracks UNC6040 as a financially motivated cluster that uses voice phishing to compromise Salesforce instances, often by tricking employees into authorizing malicious connected apps, and said the observed attacks manipulated users rather than exploiting a Salesforce platform vulnerability (cloud.google.com).
Qantas initially said about 6 million customers had service records in the affected platform. After removing duplicates, Qantas said the impacted data covered 5.7 million unique customers, then later stated that stolen data from the July incident had been released by cyber criminals (www.qantasnewsroom.com.au, www.qantasnewsroom.com.au).
What data was exposed
The indexed Qantas dataset contains names, email addresses, phone numbers, dates of birth, addresses, country values, and Qantas Frequent Flyer details including tier, points balance, and status credits (leaksear.ch metadata). The platform search pivots for this leak are country, date of birth, email, name, and phone (leaksear.ch metadata).
Additional stored fields include frequent flyer numbers, profile address fields, preferred contact channels, multiple home, business, mobile, alternate email and phone fields, meal and seat preference fields, status and membership fields, CRM identifiers, timestamps, and internal Salesforce-style record fields (leaksear.ch metadata). Qantas' July 9 update said field combinations varied by customer and that no credit card details, personal financial information, passport details, passwords, PINs, or login details were stored in the compromised system or accessed (www.qantasnewsroom.com.au).
Why this matters
Names, email addresses, phone numbers, birth dates, addresses, and loyalty details can make Qantas-themed phishing, account-recovery scams, and identity-verification abuse more convincing. Qantas warned affected customers to remain alert for unusual communications claiming to be from Qantas and said it would not ask for passwords, booking reference details, or sensitive login information (www.qantasnewsroom.com.au). Security teams should treat the dataset as a phishing and fraud-enrichment source, especially where exposed email or phone data overlaps with customer-service, travel, or loyalty-program accounts. If you are a Qantas customer or frequent flyer, check whether your country, date of birth, email, name, or phone appears in this leak through leaksear.ch.
Check your exposure
Vetted researchers and incident-response teams can request access or sign in if they already have access to check this dataset. Searchable pivots for this leak include country, date of birth, email, name, and phone.
Sources
- Qantas Newsroom: QANTAS CYBER INCIDENT
- Qantas Newsroom: UPDATE ON QANTAS CYBER INCIDENT: WEDNESDAY 9 JULY 2025
- Qantas Newsroom: UPDATE ON QANTAS CYBER INCIDENT: THURSDAY 17 JULY 2025
- Qantas Responds: UPDATE ON JULY CYBER INCIDENT
- Google Cloud Blog: The Cost of a Call: From Voice Phishing to Data Extortion
- BleepingComputer: ShinyHunters behind Salesforce data theft attacks at Qantas, Allianz Life, and LVMH