{
	"id": "f08e92af-35db-4a6f-bf9e-d0c46459edc3",
	"created_at": "2026-04-06T00:15:52.60267Z",
	"updated_at": "2026-04-10T03:34:59.547813Z",
	"deleted_at": null,
	"sha1_hash": "e3bc3538944ef4ada19a18c0d90924bd97ae7d67",
	"title": "Fashion giant Chanel hit in wave of Salesforce data theft attacks",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2078341,
	"plain_text": "Fashion giant Chanel hit in wave of Salesforce data theft attacks\r\nBy Lawrence Abrams\r\nPublished: 2025-08-04 · Archived: 2026-04-05 18:46:10 UTC\r\nFrench fashion giant Chanel is the latest company to suffer a data breach in an ongoing wave of Salesforce data theft attacks.\r\nChanel says the breach was first detected on July 25th after threat actors gained access to a Chanel database hosted at a\r\nthird-party service provider, as first reported by WWD.\r\nThe breach only impacted customers in the United States and exposed personal contact information.\r\nhttps://www.bleepingcomputer.com/news/security/fashion-giant-chanel-hit-in-wave-of-salesforce-data-theft-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/fashion-giant-chanel-hit-in-wave-of-salesforce-data-theft-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\n\"Based on the findings of the investigation, the data obtained by the unauthorized external party contained limited details of\r\na subset of individuals who contacted our client care center in the U.S. —specifically name, email address, mailing address\r\nand phone number,\" a Spokesperson told WWD.\r\n\"No other information was contained in the database. The clients affected have been informed.\"\r\nWhile Chanel has not replied to our emails and the name of the third-party service provider was not mentioned,\r\nBleepingComputer has learned that it was stolen from the company's Salesforce instance.\r\nThis attack has been attributed to the ongoing wave of Salesforce data-theft attacks conducted by the ShinyHunters extortion\r\ngroup.\r\nAs first reported by Mandiant, threat actors have been actively targeting Salesforce customers in vishing (voice phishing)\r\nattacks to compromise credentials or to trick employees into authorizing a malicious OAuth app with their organization's\r\nSalesforce portal.\r\nOnce they gain access to the Salesforce instance, they exfiltrate the database and use it as leverage in extortion demands on\r\ncustomers.\r\nIn a statement to BleepingComputer, Salesforce emphasized that its platform was not compromised, but rather, customers'\r\naccounts are being breached in social engineering attacks.\r\n\"Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform.\r\nWhile Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their\r\ndata safe — especially amid a rise in sophisticated phishing and social engineering attacks,\" Salesforce told\r\nBleepingComputer.\r\n\"We continue to encourage all customers to follow security best practices, including enabling multi-factor authentication\r\n(MFA), enforcing the principle of least privilege, and carefully managing connected applications. For more information,\r\nplease visit: https://www.salesforce.com/blog/protect-against-social-engineering/.\"\r\nThe threat actors have not publicly leaked the data for any companies to date, with companies currently extorted via email.\r\nOther companies impacted in these Salesforce data theft attacks include Adidas, Qantas, Allianz Life, and the LVMH\r\nbrands, Louis Vuitton, Dior, and Tiffany \u0026 Co.\r\nBleepingComputer knows of other allegedly breached companies that have not yet disclosed attacks, but we have not been\r\nable to verify them independently as of yet.\r\nhttps://www.bleepingcomputer.com/news/security/fashion-giant-chanel-hit-in-wave-of-salesforce-data-theft-attacks/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/fashion-giant-chanel-hit-in-wave-of-salesforce-data-theft-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/fashion-giant-chanel-hit-in-wave-of-salesforce-data-theft-attacks/\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://www.bleepingcomputer.com/news/security/fashion-giant-chanel-hit-in-wave-of-salesforce-data-theft-attacks/"
	],
	"report_names": [
		"fashion-giant-chanel-hit-in-wave-of-salesforce-data-theft-attacks"
	],
	"threat_actors": [
		{
			"id": "c071c8cd-f854-4bad-b28f-0c59346ec348",
			"created_at": "2023-11-08T02:00:07.132524Z",
			"updated_at": "2026-04-10T02:00:03.422366Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "MISPGALAXY:ShinyHunters",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "6f7f2ed5-f30d-4a99-ab2d-f596c1d413b2",
			"created_at": "2025-10-24T02:04:50.086223Z",
			"updated_at": "2026-04-10T02:00:03.770068Z",
			"deleted_at": null,
			"main_name": "GOLD CRYSTAL",
			"aliases": [
				"Scattered LAPSUS$ Hunters",
				"ShinyCorp",
				"ShinyHunters"
			],
			"source_name": "Secureworks:GOLD CRYSTAL",
			"tools": [],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "aa73cd6a-868c-4ae4-a5b2-7cb2c5ad1e9d",
			"created_at": "2022-10-25T16:07:24.139848Z",
			"updated_at": "2026-04-10T02:00:04.878798Z",
			"deleted_at": null,
			"main_name": "Safe",
			"aliases": [],
			"source_name": "ETDA:Safe",
			"tools": [
				"DebugView",
				"LZ77",
				"OpenDoc",
				"SafeDisk",
				"TypeConfig",
				"UPXShell",
				"UsbDoc",
				"UsbExe"
			],
			"source_id": "ETDA",
			"reports": null
		},
		{
			"id": "75108fc1-7f6a-450e-b024-10284f3f62bb",
			"created_at": "2024-11-01T02:00:52.756877Z",
			"updated_at": "2026-04-10T02:00:05.273746Z",
			"deleted_at": null,
			"main_name": "Play",
			"aliases": null,
			"source_name": "MITRE:Play",
			"tools": [
				"Nltest",
				"AdFind",
				"PsExec",
				"Wevtutil",
				"Cobalt Strike",
				"Playcrypt",
				"Mimikatz"
			],
			"source_id": "MITRE",
			"reports": null
		},
		{
			"id": "d8dff631-87b0-4320-8352-becff28dbcf1",
			"created_at": "2022-10-25T16:07:24.565038Z",
			"updated_at": "2026-04-10T02:00:05.034516Z",
			"deleted_at": null,
			"main_name": "ShinyHunters",
			"aliases": [],
			"source_name": "ETDA:ShinyHunters",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434552,
	"ts_updated_at": 1775792099,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/e3bc3538944ef4ada19a18c0d90924bd97ae7d67.pdf",
		"text": "https://archive.orkl.eu/e3bc3538944ef4ada19a18c0d90924bd97ae7d67.txt",
		"img": "https://archive.orkl.eu/e3bc3538944ef4ada19a18c0d90924bd97ae7d67.jpg"
	}
}