{
	"id": "58b147d1-7801-41ab-b787-eb02fc310ca5",
	"created_at": "2026-04-06T00:10:52.322879Z",
	"updated_at": "2026-04-10T03:34:59.5432Z",
	"deleted_at": null,
	"sha1_hash": "a2efd584a2168e7dadd06ce2c68f8e04b1710f91",
	"title": "Pandora confirms data breach amid ongoing Salesforce data theft attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2271302,
	"plain_text": "Pandora confirms data breach amid ongoing Salesforce data theft\r\nattacks\r\nBy Lawrence Abrams\r\nPublished: 2025-08-05 · Archived: 2026-04-05 18:30:44 UTC\r\nDanish jewelry giant Pandora has disclosed a data breach after its customer information was stolen in the ongoing Salesforce\r\ndata theft attacks.\r\nPandora is one of the largest jewellery brands in the world, with 2,700 locations and over 37,000 employees.\r\n\"We are writing to inform you that your contact information was accessed by an unauthorized party through a third-party\r\nplatform we use,\" reads a Pandora data breach notification sent to customers.\r\nhttps://www.bleepingcomputer.com/news/security/pandora-confirms-data-breach-amid-ongoing-salesforce-data-theft-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/pandora-confirms-data-breach-amid-ongoing-salesforce-data-theft-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"We stopped the access and have further strengthened our security measures.\"\r\nAs first reported by Forbes, only customers' names, birthdates, and email addresses were stolen in the attack. Passwords,\r\nIDs, and financial information were not exposed.\r\nPandora data breach notification\r\nSource: Reddit\r\nWhile Pandora has not shared the name of the third-party platform, BleepingComputer has learned that the data was stolen\r\nfrom the company's Salesforce database.\r\nSince at least January 2025, if not earlier, threat actors have been conducting social engineering and phishing campaigns\r\ntargeting companies' employees and help desks.\r\nThese attacks are designed to steal Salesforce credentials or trick employees into authorizing a malicious OAuth application\r\nto their Salesforce account.\r\nUsing this access, the threat actors download and steal the company's Salesforce database, which is then used to extort the\r\ncompany into paying a ransom to prevent the data from being leaked.\r\nShinyHunters confirmed to BleepingComputer that they are privately extorting companies and will perform a mass sale or\r\nleak of companies that do not pay a ransom in the future, like they did in the Snowflake data-theft attacks.\r\nThe threat actor also confirmed that the attacks are ongoing, so all companies should review Salesforce's recommendations\r\non hardening their accounts.\r\n\"Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform.\r\nWhile Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their\r\nhttps://www.bleepingcomputer.com/news/security/pandora-confirms-data-breach-amid-ongoing-salesforce-data-theft-attacks/\r\nPage 3 of 4\n\ndata safe — especially amid a rise in sophisticated phishing and social engineering attacks,\" Salesforce told\r\nBleepingComputer.\r\n\"We continue to encourage all customers to follow security best practices, including enabling multi-factor authentication\r\n(MFA), enforcing the principle of least privilege, and carefully managing connected applications. For more information,\r\nplease visit: https://www.salesforce.com/blog/protect-against-social-engineering/.\"\r\nOther companies impacted in these attacks include Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis\r\nVuitton, Dior, and Tiffany \u0026 Co.\r\nHowever, BleepingComputer has been told that there are many more that remain undisclosed.\r\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/pandora-confirms-data-breach-amid-ongoing-salesforce-data-theft-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/pandora-confirms-data-breach-amid-ongoing-salesforce-data-theft-attacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/pandora-confirms-data-breach-amid-ongoing-salesforce-data-theft-attacks/"
	],
	"report_names": [
		"pandora-confirms-data-breach-amid-ongoing-salesforce-data-theft-attacks"
	],
	"threat_actors": [
		{
			"id": "c071c8cd-f854-4bad-b28f-0c59346ec348",
			"created_at": "2023-11-08T02:00:07.132524Z",
			"updated_at": "2026-04-10T02:00:03.422366Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "MISPGALAXY:ShinyHunters",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2",
			"created_at": "2025-10-24T02:04:50.086223Z",
			"updated_at": "2026-04-10T02:00:03.770068Z",
			"deleted_at": null,
			"main_name": "GOLD CRYSTAL",
			"aliases": [
				"Scattered LAPSUS$ Hunters",
				"ShinyCorp",
				"ShinyHunters"
			],
			"source_name": "Secureworks:GOLD CRYSTAL",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d8dff631-87b0-4320-8352-becff28dbcf1",
			"created_at": "2022-10-25T16:07:24.565038Z",
			"updated_at": "2026-04-10T02:00:05.034516Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "ETDA:ShinyHunters",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434252,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a2efd584a2168e7dadd06ce2c68f8e04b1710f91.pdf",
		"text": "https://archive.orkl.eu/a2efd584a2168e7dadd06ce2c68f8e04b1710f91.txt",
		"img": "https://archive.orkl.eu/a2efd584a2168e7dadd06ce2c68f8e04b1710f91.jpg"
	}
}