Two global fashion powerhouses — Pandora and Chanel — have confirmed data breaches stemming from a wave of sophisticated attacks targeting Salesforce users. The ongoing campaign, attributed to the ShinyHunters extortion group, relies heavily on social engineering, specifically phishing and vishing attacks, to exploit third-party integrations rather than Salesforce itself.
Pandora Confirms Breach via Salesforce
Pandora notified affected customers that their names, birthdates, and email addresses were accessed through an unauthorized breach. The incident was traced to a third-party platform, later identified as Salesforce by BleepingComputer. Although no passwords or financial data were compromised, the stolen data poses reputational and phishing risks.
The attackers reportedly used OAuth token abuse or stolen credentials to extract Salesforce databases — a tactic observed across multiple affected organizations since at least January 2025.
Chanel Joins the List of Victims
Chanel’s breach was discovered on July 25, targeting customers of its U.S. client care center. According to the brand, only basic contact information — including names, email addresses, mailing addresses, and phone numbers — was exposed.
As with Pandora, Chanel’s data was exfiltrated from its Salesforce instance via a third-party provider. Despite public statements, both companies refrained from naming the platform, though threat intelligence points consistently to Salesforce integrations being exploited.
Salesforce Responds
Salesforce maintains that its platform has not been breached. Instead, they emphasize the critical role of customers in enforcing robust security configurations. In a statement, Salesforce urges clients to:
- Enable multi-factor authentication (MFA)
- Enforce least privilege principles
- Review and limit connected OAuth apps
Full guidance is available at: salesforce.com/blog/protect-against-social-engineering
Industry-Wide Impact
The campaign has affected high-profile companies, including Adidas, Qantas, Allianz Life, and several LVMH brands like Louis Vuitton, Dior, and Tiffany & Co. Threat actors are reportedly extorting companies privately, with the potential of mass data leaks if ransoms are not paid.
This growing list of victims should serve as a wake-up call: even without a platform vulnerability, weak access controls and unvetted third-party integrations remain critical attack vectors. CISOs must act now — harden Salesforce environments, audit app permissions, and implement phishing-resistant authentication methods to mitigate the threat.
When Pandora—the world-renowned jewelry giant—announced a data breach last week, many dismissed it as just another headline in a long list of cyber incidents. But what followed painted a very different picture.
Not long after, luxury fashion house Chanel reported a nearly identical breach. Both companies had customer data stolen. And both had something in common: their Salesforce environments were targeted—not by exploiting vulnerabilities in Salesforce itself, but through social engineering and malicious OAuth apps.
Welcome to the new frontier of cyberattacks.