Hackers have leaked the personal information of five million Qantas customers on the dark web after the company failed to meet their ransom demand.

The hacker collective Scattered Lapsus$ Hunters released an extortion note on a dark web data leaks site last week, where they demanded payment to prevent the dissemination of the stolen data. The Qantas data stolen from a Salesforce database in a major June cyber-attack included customers’ email addresses, phone numbers, birth dates, and frequent flyer numbers, but it did not contain credit card details, financial information, or passport details.

The group updated the status of the data to "leaked" on Saturday, accompanied by the quote: "Don’t be the next headline, should have paid the ransom."

The global data, stolen between April 2024 and September 2025, includes the personal and contact information of the companies’ customers and employees, including dates of birth, purchase histories, and passport numbers.

44 companies compromised

According to Jeremy Kirk, the executive editor of Cyber Threat Intelligence, the leak encompassed 44 companies, including Gap, Vietnam Airlines, Toyota, Disney, McDonald’s, IKEA, and Adidas, noting that the hacker group is well-known and operates out of countries including the UK, US, and Australia.

Kirk noted that the group is both established and technically adept, saying, "This particular group is not a new threat; they’ve been around for some time," adding, "But they’re very skilled in knowing how companies have connected different systems together."

In a previous statement to Guardian Australia, a Qantas spokesperson identified the company's post-attack priorities as ongoing vigilance and the continued provision of customer support, while a Salesforce spokesperson told Guardian Australia that the company will not "engage, negotiate, or pay any extortion demand."

In an official statement, the company said there was no evidence of a compromise to the Salesforce platform. “We are aware of recent extortion attempts by threat actors, which we have investigated in partnership with external experts and authorities. Our findings indicate these attempts relate to past or unsubstantiated incidents, and we remain engaged with affected customers to provide support,” the Salesforce statement said.