Mexican airline Aeroméxico is reportedly the target of a massive ransomware attack that could have compromised the personal data of over 30 million customers, according to cybersecurity specialist Ignacio Gómez Villaseñor.
The ShinyHunters group claims responsibility, listing Aeroméxico among its victims on the dark web and threatening to release 172.9 GB of data containing names, emails, phone numbers, addresses, passports, and reservation details on October 10.
If true, this breach not only endangers millions of passengers but opens the door to large-scale fraud, identity theft, and financial exploitation.
What Is Known So Far
Villaseñor published evidence on X (formerly Twitter) suggesting attackers hold real customer data from Aeroméxico, including:
- Full names and emails
- Phone numbers and postal addresses
- Passport numbers and identification
- Booking and itinerary data
ShinyHunters asserts the data covers 30 million people, making this incident one of the largest ever against a Mexican company.
Who’s Behind the Attack?
The perpetrators are believed to be ShinyHunters, a notorious international cybercrime collective known for high-profile leaks. Past victims include Ticketmaster, Microsoft, Disney/Hulu, FedEx, Google AdSense, Cisco, and others.
In this case, ShinyHunters appears to be collaborating with Scattered Spider, another group skilled in social engineering and remote access. Together, they form part of a new wave of cybercrime cartels blending ransomware, data theft, and extortion globally.
Read more: Mexico Leads Cyberattacks in the Financial Sector in Latin America
What Information May Have Leaked
The breach reportedly targets customer and reservation databases, which may include:
- Full names and email addresses
- Phone numbers and physical addresses
- Passport or official ID numbers
- Travel itineraries and booking details
While credit card numbers or CVVs have not been confirmed, the data could support phishing campaigns, identity fraud, or secondary attacks. Evidence suggests attackers accessed Salesforce CRM systems, as the exposed data uses Salesforce’s native format for accounts, contacts, and reservations.
Ransomware Trend Resurgence
This alleged hack comes amid a resurgence in ransomware attacks globally. A 2025 study by Hornetsecurity indicates 24% of organizations report being attacked—an increase from 18.6% in 2024.
Cybercriminals are now leveraging AI-driven phishing, cloud vulnerabilities, and third-party platform exploits. In Aeroméxico’s case, a breach in Salesforce—rather than direct network penetration—may have been the vector.
Similar titles: Common Phishing Types in Latin America & How to Stay Safe
How to Protect Yourself
If you are (or were) a customer of Aeroméxico or any organization facing a data breach, take these immediate steps:
- Update your passwords and enable 2FA on all linked accounts
- Be cautious of phishing attempts—don’t share personal data in response to emails or calls
- Monitor bank and credit card activity and set transaction alerts
- Avoid clicking suspicious links or downloading attachments related to the breach
- Consider identity monitoring services to alert if your data appears online
A Call to Strengthen Cybersecurity
This incident underscores that no organization is immune, even large ones with advanced infrastructure.
At TecnetOne, we view cybersecurity not as a cost but as an essential investment. Key strategies we advocate:
- Regular security audits
- Immutable backups
- Mandatory multi-factor authentication
- Continuous monitoring of cloud environment anomalies
Conclusion
The Aeroméxico case is a stark reminder: reliance on cloud platforms and third-party systems carries significant risk. If confirmed, this could become one of Latin America’s most consequential data breaches.