National charity Lifeline Australia has confirmed it was the victim of a data breach after a threat actor posted alleged staff information on the dark web.

In a post to an underground hacking forum over the weekend, the threat actor claimed to have stolen more than 10,600 data records from Lifeline.

The hacker claimed that names, dates of birth, workplace email addresses, phone numbers and contact numbers for messaging platform WhatsApp were among the compromised details.

While Lifeline operates a free 24/7 crisis support service, the post appeared to relate primarily to staff and volunteer information rather than help seekers.

A spokesperson for the charity confirmed to Information Age that no data related to help seeker data, personal contact information or financial details had been accessed.

“The investigation into this incident is ongoing,” they said.

“However, an initial assessment has determined that some Lifeline staff and volunteer information was accessed by an unauthorised party.”

The spokesperson said Lifeline became aware of the dark web post on Sunday.

“We immediately engaged external cyber security experts, began investigating the claim, and took steps to identify and remediate any potential vulnerabilities in our systems,” they said.

“Out of an abundance of caution, Lifeline Australia has begun contacting people who may have been impacted where possible and we are raising awareness of potential scam activity with our staff and volunteer community.”

“We will continue to monitor the situation and work with external agencies, including our cyber security providers and law enforcement.”

Hacker lists worker and volunteer data

The forum post included excerpts from three records within the alleged 10,600-record dataset.

One appeared to identify a Lifeline community engagement liaison officer, another a program manager, and a third referenced a volunteer role.

Information Age was able to confirm two persons named in the hacker’s post had indeed worked at Lifeline.

The hacker did not claim to have obtained donor information, although one of the allegedly leaked fields related to automated billing.

The Lifeline spokesperson said the organisation had also found that some of the information contained in the dark web post appeared to have been “doctored to include falsified information”.

Other data allegedly exposed included department names, office locations and internal system metadata.

According to Lifeline’s website, the charity is supported by more than 10,000 volunteers.

At least 25 Australian entities targeted since February

The threat actor first emerged in February, when they claimed to be selling 10.2 million records allegedly stolen from dropshipping platform Spocket.

Threat intelligence platform Vecert has since linked the actor to around 40 targets, including at least 25 Australian organisations.

The remaining alleged victims were located in the US, New Zealand, the United Arab Emirates, Singapore, and several other countries.

In some cases, the hacker has used compromised systems to message victims and journalists directly as proof of their exploits.

After claiming to have stolen the data of more than 340,000 customers at Melbourne International Film Festival (MIFF), the hacker used the festival’s official communication channels to email victims a nonsensical message stating: “i feel like miley cyrus sometimes” [sic].

The threat actor’s alleged victims have included non-critical organisations – such as screen museum ACMI, lingerie retailer Debras, and luxury travel agency Firstclass – and government and healthcare entities such as Centrelink, Ochre Health, and Elina Medical Weight Loss Clinic.

Nalin Arachchilage, associate professor in cybersecurity at RMIT University, told Information Age the hacker’s attack pattern suggested a degree of “opportunism” rather than being motivated by a specific ideology.

“Traditionally, if a threat actor is politically motivated or focused on a specific cause, they tend to target a narrow set of organisations,” he said.

“In contrast, the reported victims linked to [the hacker] span entertainment, retail, healthcare, government-related entities, and charities.

“That diversity suggests the actor is looking for vulnerable targets wherever they can find them rather than pursuing a specific social or political agenda.”

Arachchilage also warned that information exposed in the Lifeline breach could be used in future scams.

“For people who have relied on Lifeline during difficult moments, the good news is there's currently no indication that crisis-support conversations have been exposed,” he said.

“Right now, I think the biggest risk may not be what criminals can read in the data, but what they can do with it.

“Even basic personal information can become ammunition for scams.”