Jewelry brand Pandora on Aug. 5 reported being the victim of a cyberattack, an incident that was reportedly another case in a wave of data theft attacks on Salesforce applications. Since at least January 2025, bad actors have run social-engineering campaigns targeting corporate employees and help desks — attacks designed to steal Salesforce credentials or trick employees into authorizing malicious OAuth apps, BleepingComputer reported.According to a report in Forbes, Pandora reported that only customer names, birthdates, and email addresses were stolen, while passwords, IDs, and financial information were not exposed.The case underscored that retailers should stay on high alert as French fashion and cosmetics giant Chanel reported that it was also the victim of an Aug. 1 social media-based attack on its Salesforce apps, an incident reportedly the work of the ShinyHunter extortion group.Darren Williams, founder and CEO at BlackFog, said Pandora now joins the growing list of high‑profile victims, including Marks & Spencer, Co‑op, and Harrods, highlighting how attackers are relentlessly targeting customer data across the retail sector.“This incident reflects the clear shift in ransomware tactics toward stealthy data exfiltration,” said Williams. “Rather than immediate disruption, attackers are quietly harvesting sensitive information to power extortion schemes, identity fraud, and dark web trade — damage that often continues long after the initial compromise.”Williams added that to stay ahead, retailers must move beyond traditional perimeter defenses. Real‑time visibility into outbound data, strict third‑party and supply chain security, and proactive monitoring for exfiltration attempts are now essential, said Willisams.“Without these measures, the most serious consequences of an attack will play out in the weeks and months that follow, well beyond the initial breach,” said Williams.Nic Adams, co-founder and CEO at 0rcus, added that the recent retail breaches are a result of direct vulnerability via a successful attack on individual companies through social engineering and phishing campaigns aimed at employees.
Adams added that any recent confusion between the recent activities of Scattered Spider and ShinyHunters reveals a common dynamic in the cybercrime economy.“Scattered Spider is known for its significant social-engineering efforts, often baiting help desk personnel to give them access to a company's intranet,” said Adams. “Scattered Spider is also known as a data extortion and leak team. Therefore, in this attack chain, it seems plausible that Scattered Spider was the initial access broker, and now ShinyHunters is the group trying to profit from the information, attempting private extortions and public leak threats.”
While it makes sense for teams to patch, Adams said these attacks are fundamentally different as they exploit people, not code. Security teams must prioritize training their employees on modern social-media threats.“I think it's still important to implement MFA for all employee accounts, especially when logging into critical platforms such as Salesforce, it will make sure that a thief is not able to use the stolen credentials,” said Adams. “In addition, it's important to limit the access that the malicious OAuth app can get by implementing the least privilege principle for all the connected apps. Above all, regular and ongoing employee training on social engineering and phishing will be the most effective proactive response to the ever-changing threats.”
Adams added that any recent confusion between the recent activities of Scattered Spider and ShinyHunters reveals a common dynamic in the cybercrime economy.“Scattered Spider is known for its significant social-engineering efforts, often baiting help desk personnel to give them access to a company's intranet,” said Adams. “Scattered Spider is also known as a data extortion and leak team. Therefore, in this attack chain, it seems plausible that Scattered Spider was the initial access broker, and now ShinyHunters is the group trying to profit from the information, attempting private extortions and public leak threats.”
While it makes sense for teams to patch, Adams said these attacks are fundamentally different as they exploit people, not code. Security teams must prioritize training their employees on modern social-media threats.“I think it's still important to implement MFA for all employee accounts, especially when logging into critical platforms such as Salesforce, it will make sure that a thief is not able to use the stolen credentials,” said Adams. “In addition, it's important to limit the access that the malicious OAuth app can get by implementing the least privilege principle for all the connected apps. Above all, regular and ongoing employee training on social engineering and phishing will be the most effective proactive response to the ever-changing threats.”





