Aeroméxico, the flag carrier airline of Mexico, was named on October 3, 2025 as one of approximately 39 victims of a coordinated data-theft campaign targeting Salesforce customer instances. The threat collective behind the campaign calls itself Scattered Lapsus$ Hunters and combines members of three established cybercrime groups: Scattered Spider, Lapsus$, and ShinyHunters.\n\nThe attackers did not exploit a vulnerability in Salesforce itself. They used social engineering, including voice phishing of employees and OAuth-token abuse via compromised third-party applications connected to Salesforce, to authorize malicious connected apps and export customer relationship management data through the platform's API. The Aeroméxico subset of the campaign reportedly exposed approximately 20.6 million customer records, with public reporting from threat-actor sources mentioning figures as high as 30 million. The fields included names, email addresses, phone numbers, and passport numbers held in the airline's Salesforce environment.\n\nFor affected passengers, the practical risk is unusually high because of the inclusion of passport numbers. Combined with name and contact data, passport details support international identity-verification bypass, fraudulent visa or travel-document applications, and credible impersonation in border or immigration contexts. Affected travelers should treat their passport details as compromised, monitor for unusual travel-related contact, and remain alert to phishing referencing past Aeroméxico bookings, Club Premier loyalty status, or customer service tickets. Anyone receiving extortion-style messages referencing the breach should report them to law enforcement and not engage with payment demands, since Salesforce and most named victims have publicly refused to negotiate.

Commercial airlines collect passenger identity, contact details, booking records, payment-adjacent information, itinerary data, and loyalty or support records across air-travel operations.

Aeroméxico is one of dozens of organizations exposed in a wave of attacks against Salesforce customer instances by a threat collective calling itself Scattered Lapsus$ Hunters, which combines members of Scattered Spider, Lapsus$, and ShinyHunters. The group launched a public extortion portal on October 3, 2025 listing the airline alongside roughly 39 victims and set an October 10 ransom deadline. Salesforce publicly stated it would not pay extortion demands. Law enforcement, including the FBI and France's BL2C, took the public-facing portal offline. Aeroméxico has not issued detailed customer-facing statements about the incident as of early 2026.