Chanel customers in the United States had personal information stolen in what’s being reported as a social media-based data breach connected to a wave of attacks on Salesforce applications.The breach of the large French cosmetics company was first reported on Aug. 1 by Women’s Wear Daily, which said Chanel first detected the breach on July 25 after bad actors gained access to the database of an unspecified third-party service provider.Chanel told Women’s Wear Daily that the attackers stole "limited" details of customers who contacted Chanel’s client care center in the U.S., capturing names, emails addresses, mailing addresses, and phone numbers.The company said no other information was stolen in the affected database and their customers were informed.Efforts to reach out to security pros did not yield much more new information in the case other than what was already reported.BleepingComputer first reported that the data stolen was from Chanel's Salesforce instance, an attack believed to be the work of extortion group ShinyHunters.Agnidipta Sarkar, chief evangelist at ColorTokens, added that the Chanel breach is linked to a broader wave of attacks targeting Salesforce instances — extending the string of incidents already impacting other fashion and luxury brands.“Interestingly, even though Chanel had robust security operations supported by probably sophisticated tools, the attackers succeeded in lateral movement,” said Sarkar. “It’s now evident that every company with a Salesforce/CRM presence is a potential target, and threat actors use highly convincing phone and email lures, and do not rely on technical exploits — making staff the primary attack vector.”J Stephen Kowski, Field CTO at SlashNext Email Security added that while we don’t have additional inside info on this particular attack — what’s playing out here is a classic example of attackers using clever tricks: not just through email, but also phone calls, browser pop-ups, SMS, and even fake apps to steal login info and sneak into big databases.“Once inside, they grab valuable customer data and try to make money off it through scams or threats,” said Kowski. “Phishing isn’t just an email problem anymore, and platforms loaded with customer info, like Salesforce, are prime targets. Teams can protect themselves by constantly training people to spot these new kinds of scams and using smarter security tools that catch phishing and sketchy access attempts in real time.”
Identity, Application security, Cloud Security, Privacy
Chanel’s Salesforce data reportedly stolen by ShinyHunters group
(Adobe Stock)
Related Events
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds