Cyberdudebivash

The 23 Million Record Leak: How a Salesforce Backdoor Turned Vietnam Airlines Into a Hacker’s Gold Mine

CYBERDUDEBIVASH

 Daily Threat Intel by CyberDudeBivash
Zero-days, exploit breakdowns, IOCs, detection rules & mitigation playbooks.

Follow on LinkedInApps & Security ToolsGlobal ThreatWire Intelligence Brief

Published by CyberDudeBivash Pvt Ltd · Senior Cloud Forensics & Aviation Security Unit

Security Portal →

Critical Breach Alert · Salesforce Infiltration · 23 Million Records · Aviation Risk

The 23 Million Record Leak: How a Salesforce Backdoor Turned Vietnam Airlines Into a Hacker’s Gold Mine.

CB

By CyberDudeBivash

Founder, CyberDudeBivash Pvt Ltd · Senior Cloud Vulnerability Architect

The Tactical Reality: The aviation sector’s digital “Black Box” has been cracked wide open. In late 2025, a massive exfiltration campaign against Vietnam Airlines was unmasked, revealing the exposure of over 23 million passenger records. This wasn’t a sophisticated nation-state zero-day; it was a catastrophic Salesforce Community misconfiguration. By exploiting a “Ghost Site” vulnerability—a legacy Salesforce Community page that was forgotten by IT but still connected to the production database—attackers were able to query sensitive PII, passport numbers, and frequent flyer data with zero authentication.

In this  CyberDudeBivash Strategic Deep-Dive, we unmask the mechanics of the Vietnam Airlines Salesforce hijack. We analyze the SOQL Injection vectors, the Guest User Permission (GUP) bypass, and the Darknet auction cycles where this data is currently fueling high-tier identity theft across Southeast Asia. If your enterprise utilizes Salesforce Experience Cloud, you are likely hosting a backdoor you don’t even know exists.

Tactical Intelligence Index:

1. Anatomy of the Salesforce ‘Ghost Site’: The Forgotten Entry Point

The Vietnam Airlines breach unmasked a systemic risk in SaaS management: Configuration Drift. Over several years, the airline deployed various Salesforce Communities for customer support, COVID-19 travel requirements, and loyalty programs. While the “Front-End” of many sites was retired, the Salesforce Sites remained active on the backend.

The Exploit Mechanism: The attackers used automated scanners to find endpoints ending in .force.com or .my.site.com. They discovered a legacy community page where the “Guest User Profile” had been granted **’Read’ access** to the Contact and Loyalty_Program__c objects. Because Salesforce shares a common data model across all sites in an Org, this forgotten page acted as a high-speed straw siphoning data from the entire airline database.

CyberDudeBivash Partner Spotlight · Cloud Resilience

Is Your Salesforce Org Hardened?

Misconfigurations in SaaS are the #1 cause of data breaches in 2026. Master Advanced Cloud Security & Salesforce Hardening at Edureka, or secure your admin keys with FIDO2 Keys from AliExpress.

Master Cloud Defense →

2. SOQL Injection: Querying the Gold Mine Without a Key

Once the “Ghost Site” was unmasked, the attackers didn’t need to bypass a firewall. They used Salesforce Object Query Language (SOQL). By sending crafted requests to the /aura or /lightning endpoints of the guest-accessible site, they were able to enumerate the entire database.

The Tactical Workflow:

  • Object Discovery: Using /services/data/vXX.X/sobjects/ to list all visible tables.
  • Bulk Exfiltration: Utilizing the Salesforce Bulk API (accessible via the Guest User session) to export 100,000 records at a time into CSV format.
  • Identity Scraping: Specifically targeting fields like Passport_Number__cDate_of_Birth__c, and Home_Address__c.

4. Why Airlines are the Ultimate CRM Gold Mine

For threat actors, an airline’s Salesforce Org is the holy grail. It doesn’t just contain email addresses; it contains Verified Identities.

CyberDudeBivash Intelligence: The Vietnam Airlines leak is particularly lethal because it includes Lotusmiles Frequent Flyer credentials. These points can be “washed” into travel vouchers or sold on the darknet. More dangerously, the passport and travel history data allows state-sponsored actors to track the movements of high-value individuals, making this a National Security Threat as much as a privacy breach.

5. The CyberDudeBivash Cloud Mandate

We do not suggest cloud security; we mandate it. To prevent your SaaS infrastructure from becoming a “Gold Mine” for hijackers, every Salesforce Admin must implement these four pillars of Org integrity:

I. Guest User Access Lockdown

Enforce the **Salesforce Guest User Security Policy**. Ensure “Secure guest user record access” is enabled and audit all Sharing Rules. Guest users should have Zero Access to PII objects by default.

II. ‘Ghost Site’ Decommissioning

Perform a monthly audit of all active Sites and Communities. If a site is not actively serving a business purpose, Deactivate it. Don’t just remove the URL; kill the site configuration.

III. Phish-Proof Admin identity

Salesforce ‘System Administrator’ keys are the new nuclear launch codes. Mandate FIDO2 Hardware Keys from AliExpress for every user with “Modify All Data” permissions.

IV. Behavioral API EDR

Deploy **Kaspersky Hybrid Cloud Security**. Monitor for anomalous “Bulk API” requests or high-frequency SOQL queries originating from unauthenticated Guest User sessions.

🛡️

Secure Your Cloud Administrative Fabric

Don’t manage your Salesforce Org over public Wi-Fi. Secure your administrative tunnel and mask your origin IP with TurboVPN’s enterprise-grade encrypted tunnels.Deploy TurboVPN Protection →

6. Automated Salesforce Exposure Script

To verify if your Salesforce Org is vulnerable to the same guest-user enumeration that hit Vietnam Airlines, execute this forensic check using the Salesforce CLI (SFDX):

CyberDudeBivash Salesforce Guest Exposure Auditor v2026.1
Check for Objects accessible by Guest Users
sfdx force:data:soql:query -q "SELECT Title, IsExposedFromGuest FROM Network"

Audit Profiles for 'Modify All Data' or 'View All Data' on sensitive objects
sfdx force:data:soql:query -q "SELECT Parent.Name, SobjectType, PermissionsRead, PermissionsViewAll FROM ObjectPermissions WHERE Parent.IsOwnedByProfile = true AND (PermissionsRead = true OR PermissionsViewAll = true) AND SobjectType = 'Contact'"

Expert FAQ: The Salesforce Aviation Crisis

Q: If Salesforce is “Secure by Default,” how did this happen?

A: “Secure by Default” only works for new configurations. For Orgs created before 2021, many legacy Guest User permissions were grandfathered in. Vietnam Airlines likely had legacy “Sharing Rules” that were never updated to comply with modern Salesforce hardening standards.

Q: Should passengers change their passports after this leak?

A: If your passport number was leaked, you are at high risk for Synthetic Identity Theft. While you may not need a new physical passport immediately, you should place a “Security Freeze” on your credit reports and monitor for unauthorized bank accounts being opened in your name.

GLOBAL SECURITY TAGS:#CyberDudeBivash#ThreatWire#VietnamAirlinesBreach#SalesforceSecurity#CloudDataLeak#AviationSecurity#PIILeak#ZeroTrust#CybersecurityExpert#SaaSHardening

Your Cloud Org is a Door. Lock It.

The 23 Million Record Leak is a reminder that the convenience of the cloud comes with the risk of the “Open Window.” If your Salesforce Org hasn’t performed a forensic permission audit in the last 30 days, you are an open target. Reach out to CyberDudeBivash Pvt Ltd for elite SaaS forensics and cloud hardening today.

Book a Security Audit →Explore Threat Tools →

COPYRIGHT © 2026 CYBERDUDEBIVASH PVT LTD · ALL RIGHTS RESERVED

Leave a comment

Design a site like this with WordPress.com
Get started