Aero Mexico 2025 Data Breach

Aeromexico Airline Breach (Salesforce, 2025): 20.6 Million Customer Records Including Passport Numbers Exposed | ObscureIQ
ObscureIQ Breach Intelligence

Classification Tags

Scattered Lapsus$ Hunters (Scattered Spider + LAPSUS$ + ShinyHunters)Travel: AirEmail AddressFull NamePassport NumberPhone Number
High SeverityWebsite / service breach

Aeromexico Airline Breach (Salesforce, 2025): 20.6 Million Customer Records Including Passport Numbers Exposed

Mexican airline operating domestic and international passenger services.

Verified by ObscureIQ Intelligence
69/100Breach Risk Index
29Data Value
40Market Recency
206dSince Breach

Breach Intelligence Summary

Entity: Aero Mexico · Actor: Scattered Lapsus$ Hunters (Scattered Spider + LAPSUS$ + ShinyHunters) · Sources: 2 references
Attack: Unknown
Profile: Company · Passenger air transportation · Commercial airline operations · Mexico / Global
Timeline: Breach (2025-10-10) · Indexed (Oct 03, 2025) · Year (2025)
Exposure: 20.6M records · 4 fields: Email Address, Full Name, Passport Number, Phone Number
Status: Reported

Executive Summary

Aeroméxico, the flag carrier airline of Mexico, was named on October 3, 2025 as one of approximately 39 victims of a coordinated data-theft campaign targeting Salesforce customer instances. The threat collective behind the campaign calls itself Scattered Lapsus$ Hunters and combines members of three established cybercrime groups: Scattered Spider, Lapsus$, and ShinyHunters.\n\nThe attackers did not exploit a vulnerability in Salesforce itself. They used social engineering, including voice phishing of employees and OAuth-token abuse via compromised third-party applications connected to Salesforce, to authorize malicious connected apps and export customer relationship management data through the platform's API. The Aeroméxico subset of the campaign reportedly exposed approximately 20.6 million customer records, with public reporting from threat-actor sources mentioning figures as high as 30 million. The fields included names, email addresses, phone numbers, and passport numbers held in the airline's Salesforce environment.\n\nFor affected passengers, the practical risk is unusually high because of the inclusion of passport numbers. Combined with name and contact data, passport details support international identity-verification bypass, fraudulent visa or travel-document applications, and credible impersonation in border or immigration contexts. Affected travelers should treat their passport details as compromised, monitor for unusual travel-related contact, and remain alert to phishing referencing past Aeroméxico bookings, Club Premier loyalty status, or customer service tickets. Anyone receiving extortion-style messages referencing the breach should report them to law enforcement and not engage with payment demands, since Salesforce and most named victims have publicly refused to negotiate.

ObscureIQ assessment: High risk of travel fraud, phishing, loyalty abuse, and booking impersonation. Flight data can also reveal travel patterns and periods of likely absence from home.

Breach Impact

The institutional impact on Aeroméxico has unfolded against an unusually crowded backdrop of similarly affected enterprises, including Toyota, FedEx, Disney, Marriott, Stellantis, Qantas, and dozens of others. That shared exposure spreads regulatory and journalistic attention across the cohort but does not reduce the airline's individual obligations under Mexican data-protection law. Aeroméxico faces likely customer notification, potential class-action exposure in jurisdictions where affected passengers reside, and reputational pressure tied to passport data being among the leaked fields. The Salesforce-based pathway also raises long-term questions about CRM consolidation and OAuth-token governance for the airline and its peers.

About Aero Mexico

Aeroméxico is the flag carrier airline of Mexico, headquartered in Mexico City and operating both domestic Mexican routes and international service across the Americas, Europe, and Asia. The airline is part of the SkyTeam alliance and runs the Club Premier loyalty program. As one of Mexico's largest airlines, it processes a high volume of passenger booking, identity, payment, and loyalty data through customer relationship management and reservation systems, including a Salesforce-based CRM environment used to manage customer engagement.

Why They Hold Your Data

Commercial airlines collect passenger identity, contact details, booking records, payment-adjacent information, itinerary data, and loyalty or support records across air-travel operations.

Recent Developments

Aeroméxico is one of dozens of organizations exposed in a wave of attacks against Salesforce customer instances by a threat collective calling itself Scattered Lapsus$ Hunters, which combines members of Scattered Spider, Lapsus$, and ShinyHunters. The group launched a public extortion portal on October 3, 2025 listing the airline alongside roughly 39 victims and set an October 10 ransom deadline. Salesforce publicly stated it would not pay extortion demands. Law enforcement, including the FBI and France's BL2C, took the public-facing portal offline. Aeroméxico has not issued detailed customer-facing statements about the incident as of early 2026.

Data Points Exposed

4 verified field types
Email Address
Full Name High
Passport Number Critical
Phone Number

Field names are shown in full for clarity and search visibility. Canonical machine keys are emitted only in this page’s structured data.

Exploitation & Downstream Threats

Threat Activity:High
Primary downstream threats:
  • SIM swap attacks where phone numbers are present
  • Targeted phishing campaigns using exposed email addresses
Threat vectors:
  • Phishing, credential stuffing & account takeover
  • Name-based social engineering
  • International identity fraud & border exploitation
  • SIM swapping, vishing & SMS phishing

Threat Actor: Scattered Lapsus$ Hunters (Scattered Spider + LAPSUS$ + ShinyHunters)

Scattered Lapsus$ Hunters (Scattered Spider + LAPSUS$ + ShinyHunters)
Unknown

Attribution and method are based on available breach intelligence. Reported attack vector: Unknown.

Recommended Actions

If you believe your information may be included:

Protect Your ID Documents
Government-ID exposure enables document fraud — monitor and report misuse.
IdentityTheft.gov
Enable MFA Everywhere
Turn on multi-factor authentication on email first, then financial accounts.
Find 2FA settings
Report & Recover
If you spot misuse, start an official recovery plan and report fraud.
IdentityTheft.govReport to FTC

Frequently Asked Questions

What happened in the Aero Mexico breach?

Aeroméxico, the flag carrier airline of Mexico, was named on October 3, 2025 as one of approximately 39 victims of a coordinated data-theft campaign targeting Salesforce customer instances. The threat collective behind the campaign calls itself Scattered Lapsus$ Hunters and combines members of…

What data was exposed?

Verified fields include Email Address, Full Name, Passport Number, Phone Number.

What should I do if I was affected?

Change reused passwords, enable MFA, and (if identity or financial data is involved) freeze your credit and monitor your accounts.

Sources & References

Every claim on this page is traceable. This breach draws on:

Breach Index
DataBreach.com
Record & field corroboration
ObscureIQ Intelligence
ObscureIQ proprietary analysis
Risk Index scoring & downstream-threat assessment

Protect Yourself

Check If You're Affected

Enter your email to check whether your data appears in this breach. We’ll send a 6-digit code to confirm it’s your address.

Get Free Breach Alerts

Be the first to know when new breaches are disclosed. Free forever — confirm your email with a 6-digit code.

High-Risk? Get an Exposure Audit

Executives, public figures, and high-visibility operators can receive tailored exposure intelligence and hardening guidance.

Request Consultation