Global jewelry brand Pandora has confirmed a data breach that exposed customer information after cybercriminals targeted the company through ongoing Salesforce-related data theft attacks.
In a notification sent to affected customers, Pandora acknowledged the incident, stating:
“We are writing to inform you that your contact information was accessed by an unauthorized party through a third-party platform we use. We stopped the access and have further strengthened our security measures.”
The compromised data includes customer names, email addresses, and birthdates. Pandora emphasized that passwords, identification documents, and financial information were not affected. While the company did not initially identify the platform involved, reports confirm the breach originated from its Salesforce database.
Pandora data breach notification
Source: Reddit
How the Attack Unfolded: Social Engineering and OAuth Abuse
The breach is part of a broader campaign that began as early as January 2025, where threat actors leveraged social engineering and phishing techniques to compromise Salesforce accounts. Attackers have been targeting employees and help desks to obtain Salesforce credentials or trick staff into approving malicious OAuth applications.
Once access is secured, the attackers exfiltrate Salesforce data and use it for extortion, demanding payment to prevent public leaks. According to BleepingComputer, the well-known threat group ShinyHunters confirmed they are actively extorting companies and plan mass data leaks for those that refuse to pay—similar to tactics seen in the Snowflake data theft campaign.
Salesforce Responds: No Platform Vulnerability, Customer Vigilance Urged
Salesforce clarified that its systems have not been breached, attributing the issue to targeted social engineering attacks:
“Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform. While Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their data safe—especially amid a rise in sophisticated phishing and social engineering attacks.”
The company strongly advises all clients to implement best practices, including:
- Enabling multi-factor authentication (MFA)
- Applying the principle of least privilege for user access
- Carefully reviewing and managing connected applications
Further details are available on Salesforce’s security blog: Protect Against Social Engineering.
Other High-Profile Victims and Ongoing Risk
Pandora is not the only company affected. Other major organizations targeted in this campaign include Adidas, Qantas, Allianz Life, and LVMH subsidiaries such as Louis Vuitton, Dior, and Tiffany & Co. However, sources suggest the full list of impacted companies is far longer and includes undisclosed names.
This attack underscores the growing risk posed by social engineering campaigns combined with SaaS platform abuse, especially against enterprise-level businesses relying on cloud-based CRM solutions.
