Chanel and Pandora have become the latest fashion giants to disclose breaches of customer data, in what appear to be attacks on their Salesforce accounts.
Danish jewelry retailer Pandora began notifying customers of the incident this week, according to screenshots posted to Reddit.
“We are writing to inform you that your contact information was accessed by an unauthorized party through a third-party platform we use,” the notice read.
“We stopped the access and have further strengthened our security measures.”
According to the message, only names, birthdates and emails were impacted, with no financial data or passwords stolen.
However, this still represents a potentially major security risk for customers, according to Mark Weir, regional director of UK and Ireland at Check Point Software.
“This breach may involve only names, emails and birthdates, but that’s enough for phishing, credential stuffing and synthetic identity fraud. In cyber terms, this is a strong starting point for more serious attacks,” he warned.
“The attack came via a third-party platform – a common weak link in retail ecosystems. These integrations often lack visibility, yet when they’re breached, there’s no guarantee all affected customers will be told.”
Separately, Chanel informed its US customers of an incident it discovered on July 25, according to screenshots posted on X (formerly Twitter).
“Chanel became aware of a security incident involving a Chanel, Inc. database in the US hosted by a third-party service provider, where an unauthorized external party accessed and obtained some of the client data we hold,” it revealed.
“There was no malware deployed to our systems, and our operations remain unaffected.”
This time, the breach involved names, email and home addresses, and phone numbers.
ShinyHunters the Prime Suspect
Although the firms have yet to reveal any further details, suspicion is mounting that the attacks could be part of an ongoing data extortion campaign by the ShinyHunters (UNC6040) group.
This was first flagged in June by Google Threat Intelligence, which revealed that the actors use voice phishing (vishing) techniques to trick employees into believing they are calling from IT.
The actors then persuade the victims into handing over their Salesforce credentials and MFA tokens, or adding a malicious version of Salesforce’s Data Loader app, to gain access to their customer database.
Read more on ShinyHunters: Hackers Exploit Misconfigurations in Public Websites With Improperly Exposed AWS Credentials
In an update yesterday, Google said the group has now shifted to using Python scripts that perform a similar function to the Data Loader app, as well as TOR IPs to obfuscate their location.
Google added that the group, which has been linked to Scattered Spider/The Com, “may be preparing to escalate their extortion tactics by launching a data leak site.”
The tech giant also revealed that one of its own Salesforce instances had been breached by UNC6040 “for a small window of time.”
It claimed that the exfiltrated data “was confined to basic and largely publicly available business information, such as business names and contact details.”
Other companies suspected to have been victimized in a similar way by ShinyHunters include Allianz Life, Adidas, Qantas and several LVMH brands.
“It is now evident that every company with a Salesforce/CRM presence is a potential target, and threat actors use highly convincing phone and email lures, and do not rely on technical exploits – making staff the primary attack vector,” argued ColorTokens chief evangelist, Agnidipta Sarkar.
“In my opinion, apart from building awareness of outsourced helpdesks and support staff, cybersecurity leaders should immediately invest in technologies to reduce lateral movement, heavily restrict which employees can install or approve new Salesforce apps, use strict RBAC [role-based access] controls and microsegment cloud instances, enforce digital certificate-based passwordless authentication and continuously monitor the critical digital assets for anomalous and malicious behavior.”
Image credit: Creative Lab / Shutterstock.com
