Login
iscover
Share this article on:
Powered by
MOMENTUM
MEDIA
Powered by MOMENTUMMEDIA
Major Danish jewelry brand Pandora has joined the rapidly growing number of fashion businesses suffering third-party cyber attacks.
As originally reported by Forbes, Pandora notified customers that threat actors had breached a third-party platform containing a database holding Pandora customer data.
"We are writing to inform you that your contact information was accessed by an unauthorized party through a third-party platform we use," reads the notification sent to customers.
The company said that impacted data includes names, birthdates and email addresses, but that financial information, government identifiers and passwords were not accessed by the threat actors.
While neither the third-party that was breached nor the threat actor were named by Pandora, BleepingComputer has identified the third-party as Salesforce, as part of their wider investigation into a range of Salesforce related data breaches, which have been going since at least January 2025.
Responding to BleepingComputer, Salesforce said the company itself had not been compromised, but rather that threat actors are using social engineering techniques to breach individual instances of Salesforce.
“Salesforce has not been compromised and the issues described are not due to any known vulnerability in our platform. While Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their data safe – especially amid a rise in sophisticated phishing and social engineering attacks,” Salesforce told BleepingComputer.
“We continue to encourage all customers to follow security best practices, including enabling multifactor authentication, enforcing the principle of least privilege and carefully managing connected applications.”
According to BleepingComputer, the threat actor has been using social engineering and phishing attacks to steal credentials or fool employees into authorizing malicious OAuth applications on their accounts. From there, the Salesforce databases are downloaded and held to ransom.
The publication also identified the threat actor as ShinyHunters, the group that has been launching these Salesforce data breaches, adding that the same group breached Allianz Life, Qantas, Chanel and adidas.
So far, the threat actors have not released any data publicly, only resorting to email extortion.
However, ShinyHunters has confirmed with BleepingComputer that it is privately contacting these companies for ransom payments, and that it will mass publish or sell the data of all companies that don’t comply, something the group has done before during their Snowflake cyber campaign.
The group also said that its Salesforce threat campaign is ongoing, meaning the number of victims is likely to rise. Companies should therefore review their Salesforce privacy options and monitor access to ensure databases are secure.
How deep does the rabbit hole go?
Interestingly enough, experts have previously suggested that Qantas was originally breached by the Scattered Spider hacking collective, which has set a precedent of targeting multiple victims in a single industry before moving on and not publishing data publicly. In the airline industry case, the group is believed to have also targeted Hawaiian Airlines and Canadian airline WestJet.
Scattered Spider was also believed to have begun targeting US insurance companies back in June, according to Google Threat Intelligence researchers, which fits the bill for Allianz Life.
“Google Threat Intelligence Group is now aware of multiple intrusions in the US which bear all the hallmarks of Scattered Spider activity. We are now seeing incidents in the insurance industry,” John Hultquist, chief analyst at Google Threat Intelligence Group, told BleepingComputer.
Cyber Daily has previously suggested this could mean that the ShinyHunters group is working with or has a crossover with Scattered Spider.
While it could be a coincidence, the cyber attack on Pandora follows a wave of cyber attacks on other fashion retailers with operations in the US, including Victoria’s Secret, believed to have been conducted by Scattered Spider, which also could suggest a collaboration of some kind between the two threat entities.
Other fashion retailers including Cartier, Dior, and Louis Vuitton have also been hit in recent months, suggesting a wider crime wave that fits the bill of Scattered Spider’s operations.
Chanel was also hit this week by ShinyHunters as part of their Salesforce campaign, according to BleepingComputer.
However, this is all speculative, as some of these breaches were not disclosed as involving a third party and there is currently no concrete evidence that there is any crossover between Scattered Spider and ShinyHunters.
Be the first to hear the latest developments in the cyber industry.
