Chanel confirms US data breach amid broader wave of Salesforce-linked attacks

Salesforce says its core platform remains secure

French luxury brand Chanel has confirmed a data breach involving personal information of US-based clients.

The incident adds Chanel to a growing list of global companies impacted by an ongoing wave of targeted attacks attributed to the ShinyHunters extortion group.

Chanel said it discovered the breach on 25th July, after detecting unauthorised access to a database hosted by a third-party service provider.

"Based on the findings of the investigation, the data obtained by the unauthorized external party contained limited details of a subset of individuals who contacted our client care center in the U.S.-specifically name, email address, mailing address, and phone number," a Chanel spokesperson told WWD.

"No other information was contained in the database. The clients affected have been informed."

While the company did not name the service provider, BleepingComputer reported that the data was stolen from a Salesforce instance.

Coordinated campaign

The Chanel breach is the latest in a series of coordinated attacks targeting Salesforce customers.

Google's Threat Intelligence Group (GTIG) said in June that a threat actor group tracked as UNC6040 has been conducting sophisticated social engineering attacks, primarily through vishing (voice phishing) and phishing campaigns impersonating IT support teams.

In these schemes, employees were tricked into visiting Salesforce's connected app setup page and entering a "connection code" that effectively linked a malicious OAuth app – often masquerading as "My Ticket Portal" – to their company's Salesforce environment.

This allowed attackers to siphon off sensitive customer data from cloud-based CRM systems.

Credentials and multi-factor authentication (MFA) tokens were also stolen using phishing pages designed to look like Okta login portals, making the attacks especially difficult to detect.

High-profile victims

In recent months, multiple major brands have disclosed breaches involving similar tactics. LVMH subsidiaries including Louis Vuitton, Dior, and Tiffany & Co. acknowledged unauthorised access to customer information. Tiffany Korea noted that attackers infiltrated a vendor platform used for managing customer data.

Adidas, Qantas, and Allianz Life have also reported breaches linked to third-party CRM platforms.

ShinyHunters has been identified as the actor behind these attacks. The group is said to be currently privately extorting victims via email, threatening to release stolen information if ransom demands are not met.

Salesforce denies platform compromise

In response to the incidents, Salesforce issued a statement claiming that its core platform remains secure.

"Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform," the company told BleepingComputer.

"While Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their data safe - especially amid a rise in sophisticated phishing and social engineering attacks."

Salesforce has urged its clients to adopt security best practices, including enabling MFA, enforcing least privilege access, and closely monitoring connected apps.

Commenting on Chanel breach, Max Vetter, VP of Cyber at Immersive, said: "Luxury brands are perceived as more valuable targets than other retailers because attackers can access the personal data of high-net-worth individuals. Cybercriminals may use this data to extort individual victims as well as the company itself, or for targeted scams against high-net-worth individuals."

"For brands such as Chanel, long-term brand loyalty and trust are critical. Therefore, clear communication following a breach is essential. Customers will want explicit assurances about the impact on their personal data and the steps they can take to protect themselves. Companies need to provide clarity on exactly what data, and which individuals, have been affected.

"The breach also further highlights the importance of regularly tested incident response plans. Business leaders must be able to demonstrate cyber capabilities across their workforce through regular exercises, and improve them through targeted training, in order to identify and address skills gaps before the next crisis strikes."