Full Report
2025 has been a summer of high-profile breaches. This post will focus on four notable and high-profile victims: Chanel, Google, Air France, and KLM. Although the companies and exact data sets differ, these breaches share a clear pattern: attackers compromised third-party CRM / customer-service platforms as part of a wider Salesforce-focused vishing/social-engineering campaign. From there, […] The post Third-party risk: Behind the Google, Chanel, & Air France-KLM breaches appeared first on Outpost24.
Analysis Summary
# Incident Report: Multi-Vendor Compromise via Third-Party CRM Exploitation
## Executive Summary
In the summer of 2024, a sophisticated vishing and social engineering campaign targeted third-party CRM and customer-service platforms (specifically Salesforce-focused integrations) to breach high-profile organizations including Chanel, Google, Air France, and KLM. Attackers used "look-alike" domains and credential harvesting to gain unauthorized access to customer support environments, leading to the exfiltration of sensitive customer PII. The incidents highlight a critical systemic risk where the compromise of a single shared service provider can lead to data breaches across multiple global enterprises.
## Incident Details
- **Discovery Date:** August 2024 (public disclosure/reporting)
- **Incident Date:** Summer 2024 (ongoing June–August)
- **Affected Organizations:** Chanel, Google, Air France, and KLM
- **Sector:** Luxury Retail, Tech, and Aviation
- **Geography:** Global (Impacted customers worldwide)
## Timeline of Events
### Initial Access
- **Date/Time:** Early Summer 2024
- **Vector:** Social Engineering / Vishing / Phishing
- **Details:** Attackers targeted employees of third-party service providers or CRM administrators using vishing (voice phishing) and look-alike domains (e.g., impersonating Salesforce or internal vendor portals) to harvest administrative credentials and MFA tokens.
### Lateral Movement
- **Movement:** After gaining access to the third-party CRM platform (Salesforce-integrated environments), attackers leveraged "connected apps" and OAuth tokens to move between different customer environments or escalated privileges within the support portal to access various client databases.
### Data Exfiltration/Impact
- **Exfiltration:** Attackers accessed and exported customer datasets.
- **Google:** Impacted the "Google Workspace" and "Cloud" support platforms.
- **Air France-KLM:** Compromised "Flying Blue" or customer loyalty and support data.
- **Chanel:** Impacted customer relationship management data for luxury clients.
### Detection & Response
- **Discovery:** Identified through internal monitoring of unusual export activity and reports of unauthorized access to customer service accounts.
- **Response:** Organizations disabled compromised accounts, revoked OAuth tokens, and initiated customer notifications regarding the PII exposure.
## Attack Methodology
- **Initial Access:** Vishing and phishing using look-alike domains (e.g., "salesforce-support[.]com").
- **Persistence:** Utilization of long-lived OAuth tokens and connected application permissions.
- **Privilege Escalation:** Harvesting administrative credentials to gain broad access to multiple "tenant" environments within shared CRM platforms.
- **Defense Evasion:** Use of legitimate third-party infrastructure and valid credentials to bypass traditional perimeter security.
- **Credential Access:** Credential harvesting via proxy-based phishing sites designed to capture MFA codes in real-time.
- **Discovery:** Reconnaissance of CRM-connected apps to identify high-value customer data.
- **Lateral Movement:** Transitioning from the service provider's environment into the specific tenant data of Chanel, Google, and Air France-KLM.
- **Collection:** Bulk export of customer contact information and support interaction history.
- **Exfiltration:** Standard HTTPS exports via legitimate CRM functionality.
- **Impact:** Unauthorized disclosure of PII (Names, emails, phone numbers, and loyalty program details).
## Impact Assessment
- **Financial:** Potential regulatory fines (GDPR/CCPA) and costs associated with incident response and victim monitoring.
- **Data Breach:** Compromise of PII including names, email addresses, phone numbers, and service history.
- **Operational:** Temporary suspension of specific customer service portals and audit of all third-party integrations.
- **Reputational:** High-profile media coverage impacting brand trust, particularly for luxury (Chanel) and tech (Google) sectors.
## Indicators of Compromise
- **Network:** Look-alike domains impersonating Salesforce or vendor login portals (e.g., `brand-support-login[.]com`).
- **File:** CSV/XLSX exports originating from unusual IP addresses or at unconventional times.
- **Behavioral:** Rapid creation of new "Connected Apps" within Salesforce; high-volume data exports by low-level support accounts; logins from unauthorized geographical locations bypassing MFA via session hijacking.
## Response Actions
- **Containment:** Revocation of compromised session tokens and disabling of third-party app permissions.
- **Eradication:** Resetting passwords for all administrative accounts and enforcing hardware-based MFA where possible.
- **Recovery:** Restoring secure access to support portals and implementing enhanced logging for data exports.
## Lessons Learned
- **Supply Chain Fragility:** Security is only as strong as the least secure third-party integration partner.
- **Vishing Efficacy:** Human-centric attacks remain highly effective even against tech-savvy organizations.
- **OAuth Risks:** Over-permissioned "Connected Apps" provide a silent and persistent backdoor for attackers.
## Recommendations
- **Zero Trust Architecture:** Implement "Least Privilege" for all third-party integrations and CRM administrative roles.
- **Hardened MFA:** Transition from SMS/Push-based MFA to FIDO2/WebAuthn hardware keys to prevent vishing-based intercepts.
- **OAuth Auditing:** Regularly audit and prune "Connected Apps" and third-party scopes within CRM environments.
- **Continuous Monitoring:** Utilize Digital Risk Protection (DRP) to identify look-alike domains and leaked credentials before they are used in an active campaign.