Chanel Named As Latest Victim of Salesforce Data Theft

Fashion giant Chanel recently announced in a letter to its clients that the company fell victim to a Salesforce data security breach, specifically impacting customers in the United States.

The breach was first detected on July 25, after hackers had infiltrated Chanel’s database, which was hosted at a third-party service provider. 

Salesforce have confirmed with BleepingComputer that it’s not the CRM platform itself that has been compromised, but rather, their customers are being exploited and breached in a series of social engineering attacks. 

Chanel is yet to identify who was behind the hack, but other recent similar attacks on other retailers suggest Scattered Spider or ShinyHunters may have likely been involved.

Note: The potential for compromised connected apps in Salesforce orgs is ongoing. We at Salesforce Ben strongly recommend that all admins and org owners should prioritize auditing the connected apps currently in use in their orgs. This includes identifying the origin of all connected apps, removing any unused or unknown apps, setting permissions for access to remaining apps, and removing the ability for any user to add connected apps without approval. We’ve published this article to help.

The Infiltrations Continue

According to BleepingComputer, this data was specifically stolen from Salesforce’s instance, adding to the number of Salesforce data-theft attacks that have occurred over the past few months.

We recently reported that hackers had made their way into Salesforce by tricking employees into downloading a malicious Salesforce Data Loader app, using voice-phishing (Vishing) tactics to trick people into green-lighting the download. Peter Chittum recently discussed on Salesforce Ben that some employees may still be at risk, as many of these attacks may take place months after the download was completed.

Per Google’s Threat Intelligence Group (GTIC), this was believed at the time to be the start of a wider cyberattack orchestrated by coordinated threat groups, otherwise known as Scattered Spider. 

However, the ShinyHunters threat group has also been suggested as the culprits, or potentially could even be working alongside Scattered Spider to attack CRM customers.

While it could be a coincidence, the cyber attack on Chanel comes amid a wave of similar attacks targeting fashion retailers with US operations, including Victoria’s Secret, which is also believed to have been hit by Scattered Spider. The overlap raises the possibility of a link or even collaboration between threat groups.

Other luxury brands, such as Cartier, Dior, and Louis Vuitton, have also been targeted in recent months, pointing to a broader crime wave that aligns with Scattered Spider’s known tactics.

While there’s no confirmation of this yet, we know that the two parties share a cybercriminal network known as “The Com”, where a network of these elite hackers share resources, tools, and tactics. So it would come as no surprise if one of these threat groups – or both in tandem – are identified as Chanel’s attackers.

How Are Chanel Responding?

At the time of writing, the hackers have yet to release any stolen information publicly, and are using it to blackmail Chanel, among others affected, over email.

In the meantime, Chanel has already informed any customers involved in the breach (while not releasing how many), expressing their apologies and reassuring them that their internal system was not breached. 

“Based on the findings of the investigation, the data obtained by the unauthorized external party contained limited details of a subset of individuals who contacted our client care center in the U.S. – specifically name, email address, mailing address, and phone number,” a Chanel spokesperson told WWD. “No other information was contained in the database.”

Chanel is likely conducting internal reviews and tightening third-party access controls, though they haven’t published further details yet.

A spokeperson from Salesforce told Salesforce Ben: “Chanel is a valued customer, and our teams are proactively engaged to support them in any way they need.

“Salesforce has not been compromised, and this issue is not due to any known vulnerability in our platform. While Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their data safe — especially amid a rise in sophisticated phishing and social engineering attacks.”

Final Thoughts

It must be stressed that Salesforce themselves are not part of this vulnerability – these waves of attacks are attributed to the manipulation of employees by these hackers. However, a continued effort must be made to train and educate admins and the like to ensure they don’t fall victim to voice-phishing or any other engineering tactics.

As Peter stresses in his article, “making the victim accountable only serves to reduce transparency and make it less likely that an employee may report when they’ve been the immediate victim of an attack”.

For those responsible for their Salesforce orgs, now is the best time to be diligent around your security and read Salesforce’s best practices when it comes to org protection. 

Have you been affected by the hack? Email us at tips@salesforceben.com.