Luxury fashion house Chanel is the latest high-profile company to fall victim to a widespread data theft campaign targeting users of the Salesforce platform. The breach, which was discovered on July 25, compromised the personal contact information of U.S. customers who had interacted with the brand’s customer service department.
According to reports, the attack is part of a larger series of cyber intrusions believed to be the work of the ShinyHunters extortion group. This criminal organization has been leveraging sophisticated social engineering tactics, including voice phishing, to trick employees into granting them access to their company’s Salesforce environments. Once inside, the attackers exfiltrate sensitive data, which is then used in extortion attempts.
Chanel confirmed that the stolen data included names, email addresses, postal addresses, and phone numbers. The company has stressed that no other customer data was affected and that it has since informed all concerned U.S. clients. While Chanel did not publicly name the external service provider involved, cybersecurity researchers have linked the incident to the fashion house’s Salesforce instance.
This incident is part of a troubling trend that has seen a number of major brands, including Adidas, Qantas, and several LVMH brands like Louis Vuitton and Dior, suffer similar attacks. Salesforce, the cloud-based software giant, has stated that its platform itself has not been compromised. Instead, the company attributes the breaches to social engineering and a failure by customers to adhere to cybersecurity best practices. Salesforce has consistently urged its clients to implement multi-factor authentication, limit access privileges, and carefully manage connected applications to bolster their defenses against such threats.
The ongoing campaign highlights the growing sophistication of cybercriminals who are increasingly focusing on human vulnerabilities rather than technical ones. For companies that rely on powerful and interconnected platforms like Salesforce, these incidents serve as a stark reminder that robust security measures and thorough employee training are crucial in the fight to protect sensitive data from modern-day digital threats.
