Full Report
In October 2025, data stolen from the Salesforce instances of multiple companies by a hacking group calling itself "Scattered LAPSUS$ Hunters" was publicly released. Among the affected organisations was Vietnam Airlines, which had 7.5M unique customer email addresses exposed following a breach of its Salesforce environment in June of that year. The compromised data also included names, phone numbers, dates of birth, and loyalty program membership numbers.
Analysis Summary
# Incident Report: Vietnam Airlines Salesforce Data Breach
## Executive Summary
In June 2025, Vietnam Airlines experienced a data breach affecting their Salesforce environment, resulting in the exposure of approximately 7.5 million customer records. The data was later publicly released by the threat group "Scattered LAPSUS$ Hunters" in October 2025. The primary impact was the compromise of sensitive customer PII, leading to recommendations focused on immediate password changes and MFA adoption.
## Incident Details
- Discovery Date: October 11, 2025 (When data was publicly released/added to HIBP)
- Incident Date: June 2025 (When breach occurred)
- Affected Organization: Vietnam Airlines
- Sector: Airline/Travel
- Geography: Vietnam (Implied)
## Timeline of Events
### Initial Access
- Date/Time: June 2025 (Specific date unknown)
- Vector: Compromise of Salesforce environment (Specific initial vector unknown)
- Details: Attackers gained access to customer data stored within Vietnam Airlines' Salesforce instances.
### Lateral Movement
- *Not specified in the provided text.*
### Data Exfiltration/Impact
- Date/Time: Prior to October 2025
- Impact: 7.5 million unique customer email addresses, names, phone numbers, dates of birth, and loyalty program membership numbers were exfiltrated. The data was publicly released in October 2025 by "Scattered LAPSUS$ Hunters."
### Detection & Response
- Detection: The public release of the data coincided with its logging on platforms like HIBP (October 11, 2025).
- Response actions taken: The public recommendations focused on user action (changing passwords, enabling 2FA). Specific organizational containment or eradication steps are not detailed.
## Attack Methodology
- Initial Access: Compromise of Salesforce environment/instance.
- Persistence: *Not specified in the provided text.*
- Privilege Escalation: *Not specified in the provided text.*
- Defense Evasion: *Not specified in the provided text.*
- Credential Access: *Not specified in the provided text, but necessary to access Salesforce data.*
- Discovery: *Not specified in the provided text.*
- Lateral Movement: *Not specified in the provided text.*
- Collection: Gathering of customer PII from the compromised Salesforce environment.
- Exfiltration: Transfer of collected customer data out of the environment.
- Impact: Unauthorized publication of customer data.
## Impact Assessment
- Financial: *Not disclosed.*
- Data Breach: Approximately 7.5 million customer records exposed, including names, email addresses, phone numbers, dates of birth, and loyalty program details.
- Operational: *Not disclosed, but potential operational impact due to compromise of a core CRM system.*
- Reputational: Negative impact following public release of customer data by threat actors.
## Indicators of Compromise
- **Network indicators:** *None provided (All URLs are related to external security vendors).*
- **File indicators:** *None provided.*
- **Behavioral indicators:** Unauthorized data access/extraction from Salesforce environment (June 2025).
## Response Actions
- **Containment measures:** *Not specified.*
- **Eradication steps:** *Not specified.*
- **Recovery actions:** Public advisories issued urging customers to change passwords and enable 2FA.
## Lessons Learned
- The critical importance of securing cloud CRM environments (Salesforce) which often house highly sensitive customer PII.
- Potential gaps in monitoring or alerting that allowed the compromise to remain undetected between June 2025 and the October 2025 public disclosure.
## Recommendations
- Immediately enforce complex password rotation policies for all customer accounts associated with the breached data pool.
- Mandate and simplify the process for customers to enable Two-Factor Authentication (2FA) on their Vietnam Airlines and loyalty accounts.
- Review and bolster access controls and security configurations specifically within the organization's Salesforce implementation.