Danish jewelry giant Pandora has become the latest victim in a series of widespread data theft attacks targeting companies that use the Salesforce customer relationship management platform. In a notification sent to customers, the company confirmed that “contact information was accessed by an unauthorized party through a third-party platform we use.” While Pandora did not name the specific platform, it has since been confirmed that the stolen data was exfiltrated from the company’s Salesforce database. This incident places Pandora, one of the world’s largest jewelry brands, among a growing list of high-profile companies impacted by the ongoing security campaign.
Attackers Utilize Social Engineering and Phishing
The ongoing data theft campaign is attributed to the threat actor group known as ShinyHunters, and its tactics are a departure from traditional malware-based attacks. Instead, the attackers employ sophisticated social engineering and phishing campaigns. They target company employees and help desks, using deceptive phone calls, a method known as “vishing,” to trick them into revealing Salesforce login credentials or authorizing a malicious OAuth application to their Salesforce accounts. This method allows the threat actors to gain access to the company’s customer database without exploiting any vulnerability in the Salesforce platform itself.
According to Pandora’s disclosure, the information stolen was limited to customers’ names, birthdates, and email addresses. The company has emphasized that no more sensitive data, such as passwords, IDs, or financial information, was compromised in the attack. While this may seem like a minor breach to some, cybersecurity experts warn that even this limited data can be used to launch highly targeted phishing scams, making the affected customers vulnerable to further attacks. Pandora has advised its customers to be extra vigilant and to be cautious of unusual emails or online activities.
The ShinyHunters group has publicly confirmed that they are behind the recent wave of Salesforce attacks. The group is using the stolen data to privately extort the victim companies, demanding a ransom to prevent the data from being publicly leaked or sold. This strategy mirrors the group’s past activities, such as the widely publicized Snowflake data-theft attacks. The threat actors have stated that the attacks are ongoing, making it crucial for all companies using Salesforce to take proactive steps to secure their accounts and protect their customer data.
In response to the series of attacks, Salesforce has issued a statement clarifying that its platform has not been compromised and that the breaches are not due to any inherent vulnerabilities. The company stresses that security is a shared responsibility and that customers must play a critical role in safeguarding their data. Salesforce has provided a list of recommendations for companies to harden their accounts, including enabling multi-factor authentication (MFA), enforcing the principle of least privilege, and carefully managing connected applications. These measures are essential to mitigate the risk of falling victim to these social engineering-based attacks.
Reference:
