Danish jewelry giant Pandora has disclosed a data breach after its customer information was stolen in the ongoing Salesforce data theft attacks.

Pandora is one of the largest jewellery brands in the world, with 2,700 locations and over 37,000 employees.

"We are writing to inform you that your contact information was accessed by an unauthorized party through a third-party platform we use," reads a Pandora data breach notification sent to customers.

"We stopped the access and have further strengthened our security measures."

As first reported by Forbes, only customers' names, birthdates, and email addresses were stolen in the attack. Passwords, IDs, and financial information were not exposed.

While Pandora has not shared the name of the third-party platform, BleepingComputer has learned that the data was stolen from the company's Salesforce database.

Since at least January 2025, if not earlier, threat actors have been conducting social engineering and phishing campaigns targeting companies' employees and help desks.

These attacks are designed to steal Salesforce credentials or trick employees into authorizing a malicious OAuth application to their Salesforce account.

Using this access, the threat actors download and steal the company's Salesforce database, which is then used to extort the company into paying a ransom to prevent the data from being leaked.

ShinyHunters confirmed to BleepingComputer that they are privately extorting companies and will perform a mass sale or leak of companies that do not pay a ransom in the future, like they did in the Snowflake data-theft attacks.

The threat actor also confirmed that the attacks are ongoing, so all companies should review Salesforce's recommendations on hardening their accounts.

"Salesforce has not been compromised, and the issues described are not due to any known vulnerability in our platform. While Salesforce builds enterprise-grade security into everything we do, customers also play a critical role in keeping their data safe — especially amid a rise in sophisticated phishing and social engineering attacks," Salesforce told BleepingComputer.

"We continue to encourage all customers to follow security best practices, including enabling multi-factor authentication (MFA), enforcing the principle of least privilege, and carefully managing connected applications. For more information, please visit: https://www.salesforce.com/blog/protect-against-social-engineering/."

Other companies impacted in these attacks include Adidas, Qantas, Allianz Life, and the LVMH subsidiaries Louis Vuitton, Dior, and Tiffany & Co.

However, BleepingComputer has been told that there are many more that remain undisclosed.