An extensive wave of data breaches leveraging Salesforce has emerged, impacting a varied set of global brands—including Google, Chanel, Air France–KLM, and others—as cybercriminals exploit social engineering to infiltrate third-party CRM systems.
Google Confirms Salesforce CRM Breach
In June, Google acknowledged that a corporate Salesforce instance was compromised by the hacker group ShinyHunters (UNC6040). The breach exposed basic contact details and notes for small- and medium-sized businesses stored in Google’s Salesforce environment. Google stated that no sensitive payment or user credentials were taken, and the breach was halted swiftly.
Chanel and Other Brands Among Victims
French luxury brand Chanel also confirmed a data breach originating from a third-party Salesforce integration. Detected on July 25, the incident impacted U.S. customer contact records—including names, addresses, and phone numbers—of individuals who had reached out to Chanel’s client care center. No financial or login data was affected.
Similar attacks reportedly targeted organizations across sectors—Air France–KLM, Adidas, Cartier, Dior, Louis Vuitton, Allianz Life, Cisco, Qantas Airways, and Pandora, among others. In many of these cases, attackers exploited access via compromised Salesforce platforms used by third-party providers, not directly breaching internal company systems.
Social Engineering: The Attack Vector of Choice
Researchers say these breaches were not due to technical flaws in Salesforce itself, but were enabled via voice phishing (vishing) and abuse of OAuth-connected apps. Cybercriminals impersonated IT staff to trick employees into granting access or installing modified versions of Salesforce tools—such as a fake Data Loader—to exfiltrate data.
Widening Campaign and Rising Threat
The tactic aligns with a broader ShinyHunters-driven campaign targeting CRM systems across industries. Besides Google and Chanel, data thefts have impacted organizations including Pandora, which confirmed customer data (names and emails) were compromised via its Salesforce platform. No sensitive user credentials or payment information was leaked.
Salesforce Clarifies Its Security Posture
Salesforce has categorically stated that its platform was not breached. The attack vectors were external access points within customer environments. The company has reiterated the importance of secure authentication practices, including multi-factor authentication (MFA), limited privileges, and vendor monitoring.
The Importance of Awareness and Vigilance
Security experts warn that when threat actors exploit human weaknesses rather than technical vulnerabilities, organizations must enhance security through ongoing training, improved access controls, and vigilant app governance.
Building Resilience in a Compromised Ecosystem
As more enterprises integrate extensive third-party platforms into their operations, the need for resilience becomes critical. Customers expect both transparent communications and robust protections against incidents emerging from trusted vendor networks.
For affected organizations and partners, the lesson is clear: safeguard every link in the chain—from HR to contact centers, to external integrators and vendor systems.