Third-party risk: Behind the Google, Chanel, & Air France-KLM breaches

2025 has been a summer of high-profile breaches. This post will focus on four notable and high-profile victims: Chanel, Google, Air France, and KLM. Although the companies and exact data sets differ, these breaches share a clear pattern: attackers compromised third-party CRM / customer-service platforms as part of a wider Salesforce-focused vishing/social engineering campaign. From there, they exfiltrated customer-care records such as contact details, loyalty IDs, and customer-service email content.

We’ll run through some concise summaries for selected incidents and share some practical tips organizations can use to reduce the risk of similar third-party-supply-chain compromises.

Specops analysis: Who’s behind the third-party CRM attacks?

Lidia Lopez, Strategic Research Team Lead at Outpost24 (Specops’ parent company), said: “The disclosure from Air France-KLM adds to a growing list of organizations affected by a highly targeted voice phishing (vishing) campaign exploiting Salesforce environments. First reported in March 2025 and escalating in June, these attacks have now impacted companies across Europe and the US, including Adidas, Allianz Life, Chanel, Pandora, LVMH subsidiaries, Qantas — and most recently, Google.

“The threat group uses a phone-based social engineering scheme impersonating IT help desks to trick employees into handing over credentials or installing malicious Salesforce tools. Victims are then extorted weeks or months later by the threat group, often self-identified as ShinyHunters, with threats of public data leaks unless a Bitcoin ransom is paid.

“This campaign reflects a broader shift: as technical defenses improve, attackers are turning to more personal, psychological methods – a trend underscored by a 442% rise in vishing attacks in 2024 alone. To reduce risk, organizations should enforce SSO, monitor login activity, restrict software installs on endpoints, and apply strict access controls. These simple steps can drastically reduce both the likelihood and impact of attacks.”

Chanel, Google, Air France, and KLM attack summaries

Chanel: Attack summary

• What happened: Chanel disclosed a data breach affecting a subset of clients after unauthorized access was detected on July 25th, 2025.
• Attack vector: The access originated via a third-party service provider (reported to be Salesforce-related in press coverage), consistent with the ongoing wave of vishing/social-engineering attacks targeting Salesforce customers.
• Data accessed: Limited customer-care records for a subset of individuals (name, email, mailing address, phone number). Chanel said no other customer data from their systems was exposed.
• Impact / current status: Affected customers have been notified; no public large data leaks reported at time of the disclosure, and Chanel is working with the third party to investigate.

Google: Attack summary

• What happened: Google was reported as another victim in the ongoing campaign of Salesforce CRM data theft attacks in June.
• Attack vector / actor: The campaign targets employee accounts via voice-phishing (vishing) and social engineering to gain access to Salesforce instances. Reporting links the activity to threat actors tracked as UNC6040 and extortion groups such as ShinyHunters.
• Data accessed / impact: Reporting indicates customer data was exfiltrated from Salesforce instances and used to extort victims; Google confirmed it was impacted as part of this wave. Specific field lists for Google were not detailed in the article.
• Impact / current status: Investigation and containment efforts are ongoing at the time of writing.

Air France: Attack summary

• What happened: Air France (part of Air France–KLM Group) detected unauthorized access to an external customer-service platform used by its contact centers.
• Attack vector: A compromise of a third-party platform used for customer service (investigation ongoing); reporting ties the compromise to the broader Salesforce-targeting campaign.
• Data accessed: Customer service data such as names, email addresses, phone numbers, loyalty program information and recent transactions were accessed. Air France states internal networks and payment/passport/payment card data were not affected.
• Impact / current status: The group cut off attackers’ access, notified regulators (CNIL in France) and is notifying impacted customers while investigating with the external party.

KLM: Attack summary

• What happened: KLM confirmed similar unauthorized access to the same third-party customer service platform used by their contact centers.
• Attack vector: Third-party supplier compromise supporting customer service operations; reported as part of the wave of Salesforce-linked breaches and social-engineering attacks.
• Data accessed: KLM stated personally identifiable information was obtained (full names, contact details), plus Flying Blue membership numbers and tier status and subject lines from customer service emails. Payment details, passport numbers and passwords were reportedly not exposed.
• Impact / current status: The breach was reported to the Dutch Data Protection Authority; affected customers are being notified and advised to watch for social engineering/phishing.

Why are we seeing so many similar breaches?

1) Attackers are targeting third-party access points, not core systems

Across the Chanel, Google, Air France, and KLM incidents the common thread is the compromise of external CRM / customer-service platforms or third-party suppliers rather than direct breaches of the companies’ internal payment or flight-operation systems. Compromise the supplier and you can harvest customer-care records from many victims at once.

2) Social engineering (vishing) and OAuth/connected-app misuse are effective at scale

Reports tie these incidents to a wider campaign that uses voice-phishing and social engineering to get employees to approve OAuth/connected-app access or reveal authentication details. Once attackers gain delegated access to a Salesforce or contact-center account, they can exfiltrate records without having to break into corporate networks directly.

3) Excessive permissions and weak third-party governance widen the blast radius

Many organizations allow broad scopes for connected apps, sharing large swathes of customer data with vendors for convenience. When suppliers (or the credentials of supplier staff) are compromised, overly permissive access enables rapid data collection. The difficulty organizations have in tracking and auditing which third parties have what level of access makes detection and containment slower.

Interested to know whether your organization has credentials leaked on the dark web? Try Outpost24’s free Credential Checker – all you need is an email and we’ll send over the results for your domain. Check for leaked credentials now.

4) Attackers monetize via extortion and follow-on social engineering

The stolen CRM records are useful both for direct extortion and to seed more convincing phishing and vishing campaigns that expand the attacker’s access. This feedback loop makes each successful supply-chain compromise more valuable.

How to reduce your third-party risk

Treat service-desk interactions as an authentication boundary — and enforce verification

Attackers succeed by social-engineering help-desk agents to grant access or reset account controls. This has been a common feature of the ransomware attacks hitting major UK retail brands such as Marks and Spencer. Organizations should require strict, verifiable workflows for any service-desk action that affects accounts or connected apps.

Lock down OAuth / connected-app access and third-party scopes

Inventory every connected app and third-party integration with access to CRM, contact-center or ticketing data. Remove unused integrations, tighten scopes to the minimum necessary, require app-whitelisting, and make approval of any new integration a documented, security-reviewed process. Revoke long-lived tokens and require periodic reauthorization.

Harden authentication and session controls

Enforce strong MFA on all accounts that can access CRM/contact-center or vendor portals. Use conditional access to require higher assurance for administrative or supplier-facing logins (e.g., require MFA + compliant device). Shorten token lifetimes where feasible and implement anomaly detection for unusual session/IP or export activity.

Monitor the brand surface and phishing infrastructure with DRP

Continuously scan for look-alike and malicious domains, credential-harvesting pages, and social-media impersonation so you can detect attacker infrastructure early and request takedowns. While a DRP tool can’t stop an initial CRM platform compromise, a tool such as Outpost24’s CompassDRP solution can reduce customer impact by spotting phishing domains, impersonation accounts, and data leaks faster, enabling quicker takedowns and better warnings to affected customers.