A third-party data breach affecting French luxury giant Chanel has leaked the personal information of American customers. Chanel says it discovered the leak, which stemmed from the ongoing data theft affecting CRM giant Salesforce, on July 25.
Cyber extortion group ShinyHunters or UNC6040 is attributed to the hacking campaign, which leverages voice phishing or vishing to trick employees into authorizing a malicious OAuth application on their organization’s Salesforce portal.
The threat actor claims they have breached over a dozen companies, including Louis Vuitton, Dior, Adidas, and Pandora through Salesforce.
How the Salesforce data breach unfolded
Apparently, the threat actor tricks unsuspecting employees via phone into authorizing a malicious Salesforce Data Loader tool, which allows bulk import of data into the Salesforce platform. They also have adopted other custom applications and Python scripts with similar capabilities.
Upon gaining access to the company’s portal on the Salesforce platform, they exfiltrate the most critical data and demand a ransom to avoid leaking the stolen information online.
Salesforce had warned companies about the ongoing hacking campaign, which does not exploit any of its products’ vulnerabilities. Google Threat Intelligence Group (GTIG) had also warned about the UNC6040 cyber activity that had also impacted its Salesforce data stores.
GTIG had anticipated that the threat group was preparing to escalate its cyber extortion campaign by launching a data leak site to compel companies to pay the ransom.
Chanel confirms third-party data breach from Salesforce hacking campaign
The third-party data breach affected a customer care database hosted by Salesforce. Upon learning of the data breach, Chanel activated its in-house cyber incident response protocols and engaged third-party cyber forensics to respond to the cyber attack.
Its subsequent investigation determined that the third-party data breach leaked the names, phone numbers, emails, and mailing addresses of people who had contacted the Chanel U.S. customer care center. However, the company has yet to disclose the number of customers affected by the Salesforce third-party data breach.
Luckily, the attackers did not steal customer financial data, such as bank accounts or credit card information, which could expose customers to potential fraud.
“Fortunately, no information that could be used to directly hack or steal from Chanel customers was leaked,” said Paul Bischoff, Consumer Privacy Advocate at Comparitech.
Nonetheless, the third-party data breach exposed impacted customers to potential targeted phishing attacks that could compromise more sensitive personal and financial data, such as Social Security Numbers and credit card information.
Subsequently, the luxury retailer advised customers to remain vigilant for targeted phishing (spearphishing) attacks by fraudsters attempting to obtain their personal information.
“Chanel customers should be on the lookout for targeted phishing messages in their email and texts from scammers posing as Chanel or a related company. Never click on links or attachments in unsolicited messages!” Bischoff added.
Most likely, ShinyHunters miscreants will use the stolen Channel customer data to craft alluring phishing messages, targeting impacted customers instead of demanding a ransom.
So far, Chanel has not disclosed receiving any ransom demands from the threat actor, who usually requests payment within 72 hours. Similarly, no evidence suggests the stolen data was publicly leaked or listed for auction on an illegal underground hacking forum.
In addition, the third-party data breach did not compromise Chanel’s internal IT infrastructure, as it was confined to the impacted vendor’s systems. Subsequently, its internal operations and customer-facing operations, including its e-commerce platforms and websites, remain operational.
“The Chanel breach is just the latest incident in a sweeping cybercrime wave orchestrated by the ShinyHunters group, which has been targeting Salesforce users in several countries since early 2025,” reiterated Chris Hauk, Consumer Privacy Champion at Pixel Privacy. “The bad actors gain access to an organization’s Salesforce instance the old-fashioned way, by tricking users into providing their login credentials to a malicious app, using the login to breach their data.”
