Pandora Confirms Data Breach Tied to Salesforce Credential Attacks

Danish jewelry giant Pandora has confirmed a data breach that exposed customer information, stemming from an ongoing wave of Salesforce-related data theft attacks. The company, which operates 2,700 stores globally and employs over 37,000 people, notified customers that their contact details were accessed by an unauthorized party via a third-party platform.

“We stopped the access and have further strengthened our security measures,” the company said in its notification. According to a Forbes report, only customer names, birthdates, and email addresses were compromised—no passwords, financial data, or identification numbers were exposed.

While Pandora did not publicly name the third-party platform involved, BleepingComputer confirmed that the stolen data originated from Pandora’s Salesforce database.

Since early 2025, attackers have been targeting organizations through phishing and social engineering tactics to gain access to Salesforce accounts—either by stealing credentials or tricking staff into granting permissions to malicious OAuth applications. Once access is gained, attackers exfiltrate customer data and use it to demand ransom under threat of exposure.

The threat group ShinyHunters told BleepingComputer they are actively extorting affected companies and plan to publicly leak or sell data from firms that refuse to pay, as seen in the recent Snowflake-related incidents.

Salesforce emphasized that their platform has not been breached and no known vulnerabilities are involved. “Customers play a critical role in safeguarding their data—especially in light of increasingly sophisticated phishing and social engineering threats,” the company said, urging clients to adopt its recommended security measures.