Social Engineering Attacks Hit Major Brands Through Salesforce Platform

A sophisticated wave of social engineering attacks has compromised multiple high-profile companies including Chanel, Pandora, and Google through their Salesforce platforms. The attacks, attributed to the threat group ShinyHunters (UNC6040), demonstrate how human vulnerability remains the greatest cybersecurity weakness in modern organizations.

Sophisticated Vishing Campaign Targets Employee Trust

The attackers employed an elaborate voice phishing (vishing) scheme, impersonating IT support staff to convince employees to install malicious versions of legitimate Salesforce tools. By exploiting the platform's "Connected App" feature, hackers gained broad access privileges to company data through OAuth authentication abuse.

Organizations must remain vigilant for common warning signs of social engineering attacks to protect their systems and data.

"Salesforce has not been compromised, and this issue is not due to any known vulnerability in our platform," a Salesforce spokesperson emphasized. "Attacks like voice phishing are targeted social-engineering scams designed to exploit gaps in individual users' cybersecurity awareness."

High-Profile Victims Face Data Exposure

The impact of these breaches has been substantial:

• Chanel discovered on July 25th that customer service data, including names and contact information, was compromised
• Pandora reported a breach on August 5th affecting customer personal information
• Google confirmed a "small window" of unauthorized access to basic business contact details
• Additional suspected victims include Adidas, Allianz Life, and several LVMH luxury brands

Sophisticated attackers are increasingly using advanced clone phishing techniques to create convincing impersonations of legitimate business communications.

"Every company with a Salesforce/CRM presence is a potential target," warns Agnidipta Sarkar, Chief Evangelist at ColorTokens. "Threat actors use highly convincing phone and email lures, and do not rely on technical exploits—making staff the primary attack vector."

Protecting Against Social Engineering Threats

Security experts recommend several key measures to defend against similar attacks:

1. Implement comprehensive social engineering training focusing on vishing and impersonation tactics
2. Review and strengthen authentication policies for third-party applications
3. Establish strict controls over Salesforce app installations and integrations
4. Adopt zero-trust security models to limit potential damage from compromised accounts

The ongoing campaign serves as a stark reminder that even organizations with sophisticated security measures remain vulnerable to social engineering attacks that target human psychology rather than technical vulnerabilities. For more information about protecting against social engineering attacks, visit the CISA Security Tips.