Fashion Giant Chanel Hit by ShinyHunters in Salesforce Data Theft Campaign

Published Date: August 5, 2025
Category: ShadowOpsIntel
Share:

French fashion giant Chanel has confirmed a data breach affecting its U.S. customer database. The attack is part of a broader Salesforce credential theft and extortion campaign tied to the ShinyHunters threat group. Threat actors gained access via social engineering and abused OAuth integrations, enabling the exfiltration of customer data from a third-party Salesforce service provider.

Severity Level: High

Incident Overview

  • Breach Detected: July 25, 2025
  • Customer Notification: August 1, 2025
  • Attack Vector: Social engineering and abuse of OAuth access to a third-party Salesforce instance
  • Geographic Scope: Limited to United States customer data
  • Response Status: Investigation completed; affected individuals notified

How The Breach Happened

The breach occurred through a compromise of a third-party service provider hosting Chanel’s Salesforce database. The attackers did not exploit a vulnerability in Salesforce itself. Instead, they used vishing attacks (voice phishing) & malicious OAuth app authorization techniques to:

  • Trick employees or customer service agents into granting app permissions.
  • Gain tokenized access to Salesforce customer data.
  • Exfiltrate data from the backend without breaching Salesforce’s platform directly.

Salesforce has emphasized that their platform was not compromised, and the attack stemmed from customers failing to secure their access points against sophisticated phishing schemes.

Data Exposed During The Breach

  • The attackers accessed a subset of U.S. customer records containing: Full Name, Email Address, Mailing Address, and Phone Number.
  • No financial information, login credentials, or sensitive account data was reported as exposed. The data primarily belonged to individuals who interacted with Chanel’s customer care center.

Threat Actor Profile: ShinyHunters

  • Type: Cybercriminal extortion group
  • Known For: Large-scale data breaches, account takeovers, and blackmail operations
  • Recent Victims:
    • Qantas (57M affected)
    • Allianz Life (14M+)
    • Adidas
    • LVMH subsidiaries: Louis Vuitton, Dior, Tiffany & Co.
  • Tactics:
    • Social Engineering (vishing, phishing)
    • OAuth Abuse
  • Exfiltration followed by extortion via email

Lessons Learned

  • The breach illustrates the rising risk of social engineering attacks targeting high-profile brands, emphasizing the need for continuous security awareness training and phishing simulations for all staff.
  • OAuth App Access is a Blind Spot. Organizations must treat OAuth app permissions with the same security posture as credential-based logins.
  • Proper configuration of Salesforce and regular review of integrated apps is essential.

Recommendations

  1. Perform Continuous Risk Assessments on third-party platforms, especially those storing customer data (e.g., CRM systems like Salesforce).
  2. Enforce Multi-Factor Authentication (MFA) on all Salesforce and related SaaS accounts—prefer hardware tokens or app-based authenticators over SMS.
  3. Restrict OAuth App Access to pre-approved applications only using app whitelisting features in Salesforce and identity providers.
  4. Regularly audit and remove unused or risky OAuth-connected applications from Salesforce and third-party ecosystems.
  5. Configure Salesforce Connected App Policies to limit token scope, session duration, and permitted users.
  6. Conduct vishing and phishing simulation exercises specifically focused on SaaS platforms and OAuth workflows.
  7. Provide contextual training to employees (especially customer service and IT) about malicious OAuth consent prompts.
  8. Limit Scope of Data Stored in SaaS platforms to only what is strictly necessary.
  9. Enable Salesforce Shield or third-party logging tools to monitor for:
    • Unusual API activity
    • New OAuth app authorizations
    • Bulk data exports

Source:

  • https://www.bleepingcomputer.com/news/security/fashion-giant-chanel-hit-in-wave-of-salesforce-data-theft-attacks/
  • https://wwd.com/business-news/retail/chanel-data-break-u-s-client-database-1238026491/

Enjoyed reading this Threat Intelligence Advisory? Stay updated with our latest exclusive content by following us on Twitter and LinkedIn

No related posts found.

Ampcus Cyber
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.