In July 2025, French luxury fashion house Chanel confirmed a significant data breach affecting its U.S. customer base. Unauthorized individuals accessed a database containing personal information of customers who had interacted with Chanel’s client care center. The compromised data included names, email addresses, mailing addresses, and phone numbers. Notably, financial information and internal operational systems remained secure.
This incident is part of a broader cybercrime campaign orchestrated by the ShinyHunters extortion group, which has been targeting Salesforce customer relationship management (CRM) systems across various industries since early 2025. Other high-profile victims include Qantas, Allianz Life, LVMH subsidiaries Louis Vuitton and Dior, Tiffany & Co., and Adidas. The attacks have affected customers in multiple countries, including the United States, the United Kingdom, South Korea, Turkey, Italy, and Sweden.
The ShinyHunters group employs sophisticated voice phishing (vishing) techniques to compromise Salesforce environments. They impersonate IT support personnel in convincing telephone calls to employees, typically targeting English-speaking staff at multinational corporations. During these social engineering attacks, victims are manipulated into visiting Salesforce’s connected app setup page and authorizing a malicious version of the legitimate Data Loader application. The fraudulent app is often rebranded under names like “My Ticket Portal” to avoid suspicion while granting attackers extensive access to query and exfiltrate sensitive customer data directly from Salesforce environments.
The attack methodology follows a consistent pattern:
– Attackers conduct reconnaissance using automated phone systems to gather internal company information.
– They then engage targets directly, posing as internal IT support staff.
– Victims are guided through seemingly legitimate processes to install the malicious connected app.
– Once authorized, the app enables bulk data extraction using Salesforce’s own Data Loader functionality.
– Attackers often move laterally to compromise additional cloud services like Okta and Microsoft 365.
The campaign has demonstrated particular success against the fashion and luxury goods sector, with multiple LVMH brands falling victim within weeks of each other. Allianz Life Insurance reported that the July 16 attack affected the majority of its 1.4 million U.S. customers, while Qantas disclosed that up to 6 million customer records were potentially compromised.
Chanel has begun directly notifying affected customers and has engaged external cybersecurity specialists to conduct a thorough investigation of the incident. The company has also reported the breach to relevant law enforcement agencies and data protection authorities as required by applicable regulations.
This incident underscores the evolving threat landscape where cybercriminals are increasingly focusing on cloud-based customer relationship management platforms rather than attempting to breach companies’ primary security defenses directly. It highlights the critical importance of enabling multi-factor authentication and enforcing least privilege access policies. Companies must remain vigilant and educate employees against evolving threats that abuse connected applications and trusted platforms.
