Fashion Giant Chanel Hacked in Wave of Salesforce Attacks

French luxury fashion house Chanel has become the latest victim in a sophisticated cybercrime campaign targeting major corporations through their Salesforce customer relationship management systems.

The company confirmed on July 25, 2025, that unauthorized threat actors had breached a database containing personal information of U.S. customers who contacted their client care center.

The breach exposed limited but sensitive customer data, including names, email addresses, mailing addresses, and phone numbers of individuals who had contacted Chanel’s U.S. client care center.

Importantly, no financial information, payment data, or internal operational systems were compromised in the attack, according to the WWD report.

The Chanel breach represents just one incident in a sweeping cybercrime wave orchestrated by the notorious ShinyHunters extortion group, which has been systematically targeting Salesforce instances across multiple industries since early 2025.

The campaign has affected an unprecedented roster of major brands, including Qantas, Allianz Life, LVMH subsidiaries Louis Vuitton and Dior, Tiffany & Co., and Adidas.

This coordinated assault demonstrates the evolving threat landscape where cybercriminals are increasingly focusing on cloud-based customer relationship management platforms rather than attempting to breach companies’ primary security defenses directly.

The attacks have spanned multiple countries, affecting customers in the United States, the United Kingdom, South Korea, Turkey, Italy, and Sweden.

The ShinyHunters group, tracked by Google’s Threat Intelligence Group as UNC6040, has employed highly sophisticated voice phishing (vishing) techniques to compromise Salesforce environments.

The attackers impersonate IT support personnel in convincing telephone calls to employees, typically targeting English-speaking staff at multinational corporations.

During these social engineering attacks, victims are manipulated into visiting Salesforce’s connected app setup page and authorizing a malicious version of the legitimate Data Loader application.

The fraudulent app is often rebranded under names like “My Ticket Portal” to avoid suspicion while granting attackers extensive access to query and exfiltrate sensitive customer data directly from Salesforce environments.

The attack methodology follows a consistent pattern:

• Attackers conduct reconnaissance using automated phone systems to gather internal company information.
• They then engage targets directly, posing as internal IT support staff.
• Victims are guided through seemingly legitimate processes to install the malicious connected app.
• Once authorized, the app enables bulk data extraction using Salesforce’s own Data Loader functionality.
• Attackers often move laterally to compromise additional cloud services like Okta and Microsoft 365.

The campaign has demonstrated particular success against the fashion and luxury goods sector, with multiple LVMH brands falling victim within weeks of each other.

Allianz Life Insurance reported that the July 16 attack affected the majority of its 1.4 million U.S. customers, while Qantas disclosed that up to 6 million customer records were potentially compromised.

Chanel has begun directly notifying affected customers and has engaged external cybersecurity specialists to conduct a thorough investigation of the incident.

The company has also reported the breach to relevant law enforcement agencies and data protection authorities as required by applicable regulations.

Integrate ANY.RUN TI Lookup with your SIEM or SOAR To Analyses Advanced Threats -> Try 50 Free Trial Searches