Qantas customers' personal data has reportedly been leaked on the dark web following a cyber attack in July. Up to six million records were compromised during the breach of a third-party platform utilized by the airline. The exposed information includes customers' names, email addresses, phone numbers, birth dates, and frequent flyer numbers.

The hacking group Scattered Lapsus$ Hunters has threatened to release stolen data from approximately 40 companies linked to Salesforce, including major firms like Disney, Google, IKEA, and Toyota, as well as airlines Qantas, Air France, and KLM. They demanded a ransom be paid by 3 p.m. AEST on Saturday, warning that failure to comply would result in the data being made public.

Troy Hunt, a cybersecurity expert and founder of Have I Been Pwned, confirmed that Qantas customer data has been found on the dark web. While speaking to a news outlet, Hunt received a message from a friend who believed they had located his personal information in the leaked data. "I just gave them the last two digits of my frequent flyer number. So we'll see if they can confirm the whole thing, but I'm quite sure it is what it is," he stated. Shortly after, he received confirmation that his unique Qantas email address was part of the leak.

Hunt noted that the hackers have only released data from a limited number of companies so far. "They've only released six at this point in time," he said, adding that the hackers have been inconsistent in their communications regarding the data leak.

He cautioned affected individuals to be vigilant about incoming communications, as the leaked data could facilitate social engineering attacks and phishing scams. "The more an attacker has about you in terms of your personal info, the better a scam they're able to execute," Hunt explained.

In response to the situation, Qantas is conducting an investigation. The hackers have confirmed the data leak and indicated they possess the capability to carry out further attacks. Meanwhile, Salesforce has stated it will not engage with the hackers or pay any ransom demands, asserting that there is no evidence its platform has been compromised.