Chanel data breach exposes US customer information in latest Salesforce attack
Luxury retailer Chanel notified US customers on Tuesday that their personal information was accessed last month in a data breach targeting its Salesforce platform, part of a months-long campaign by the notorious Shiny Hunters hacking group.
-
Chanel is the latest luxury brand to fall victim to an ongoing hacking campaign by the Shiny Hunters extortion group.
-
Pretending to be IT support staff, the group uses telephone-based voice phishing to manipulate employees into granting access to a company's Salesforce CRM system.
-
The sophisticated social engineering attack was limited to Chanel's US customer base and did not impact internal operations or the retailer's e-commerce platform.
The July 25th attack, which Chanel said impacted a US customer only “client care database,” is the latest in a string of attacks targeting companies using the popular Salesforce Customer Relationship Management (CRM) software platform.
According to an initial report by Global Cosmetics News, the breach “exposed the names, emails, mailing addresses, and phone numbers of individuals who had contacted the Chanel US client care center.”
Chanel did confirm that the hackers were unable to access more sensitive data, such as financial and payment information. Additionally, the high-end retailer said its internal operations, website, and e-commerce platform were unaffected.
With over 300 Chanel boutiques worldwide and roughly 130 in North America, the century-old French fashion house is considered the #2 luxury brand worldwide, only surpassed by the luxury goods conglomerate LVMH (Louis Vuitton Moët Hennessy), according to Forbes.
Chanel said after becoming aware of the breach, it immediately activated incident response protocols and brought in third-party cybersecurity experts to help with remediation.
Chanel customers at risk of further targeted attacks
Headquartered in London, the luxury retailer urged customers to “remain vigilant” and look out for “phishing attempts or unsolicited communications.”
So far, there have been no reports of the customer information being published on the dark web or known hacker forums, a typical tactic used by Shiny Hunters in the past.
It is assumed the group will hold on to the stolen data to craft additional targeted phishing attacks at a later date. Chanel has not disclosed the number of customers that may have been impacted.
Researchers blame the Shiny Hunters cybercriminal group (UNC6040) for the hacking campaign. The threat actors engage the victims’ employees using a social engineering tactic known as voice phishing or vishing.
Juliette Hudson, CTO of cybersecurity firm CybaVerse says the success of Shiny Hunters emphasises how severe the threat of vishing is today.
“While employees have traditionally been trained to be wary of email and SMS, fewer are prepared for the sophisticated forms of impersonation that can be performed via a phone call, and with the rise of AI voice cloning, these attacks are only becoming more convincing,” Hudson explains.
The CTO futher warns that AI tools enable bad actors to spin up convincing spoofed domains with ease.
Shiny Hunters exploits cyber weak employees
In June, the Google threat intel group Mandiant warned organizations in the US and Europe of an uptick in the group’s targeted attacks against Salesforce customers.
Shiny Hunters is said to have successfully gained access to the CMR systems of over a dozen major companies in the vishing campaign, including two other French luxury brands, Louis Vuitton and Dior, part of the LVMH group, as well as the Adidas apparel brand and the Danish jewelry-maker Pandora.
Earlier on Tuesday, the Cisco Systems network solutions company also reported hackers had exfiltrated its customer data by gaining unauthorized access to their CMR platform, although Cisco did not provide the name of the customer relationship management software it uses.
Organizations, are you prepared for voice phishing?📱
undefined Mandiant (part of Google Cloud) (@Mandiant) June 4, 2025
UNC6040 is a financially-motivated threat cluster that specializes in using voice phishing (vishing) to compromise organizations' Salesforce instances, leading to large-scale data theft.
Learn more: https://t.co/upUkjaodMO pic.twitter.com/tlg4ykZH9K
Earlier this spring, Salesforce posted a warning to its customers about the targeting of Salesforce instances, which most often trick the victim's employees into downloading a maliciously modified version of the Salesforce Data Loader tool.
The Data Loader tool is designed to allow the user to bulk import data into Salesforce environments, essentially giving hackers access to the data stored in the victim’s CRM platform.
Hudson says employees are likely much less guarded following instructions over a phone call than they would be following links from an email, adding that education is key.
“Special emphasis needs to be given to these attacks in training. More importantly, organisations need to adopt stronger protocols for phone calls,” she said.
A Salesforce spokesperson told Reuters at the time that there was no indication of any inherent vulnerabilities in the Salesforce platform and that the voice calls used to trick employees were “targeted social engineering scams designed to exploit gaps in individual users’ cybersecurity awareness and best practices.”
Hudson suggests that helpdesk and IT staff should start routinely authenticating themselves to employees before asking for sensitive information.
“This will likely slow down calls and impact productivity, and might be unappealing to large companies, but the potential damage incurred from attacks will eventually outweigh this friction, and for companies who continue to ignore these attacks, it will only be a matter of time," Hudson said.
Also believed to be caught up in the Shiny Hunters Salesforce attacks are Qantas airline, Allianz Life insurance company, and the UK-based Coca-Cola Europacific Partners.
