Skip to content
Supply chainContained

Leak at Pandora

In August 2025, Danish jewelry maker Pandora disclosed a breach of a third-party CRM platform (Salesforce) in which attackers stole customer contact data — names, email addresses and birth dates — while stating no passwords or payment data were taken.

Victim
Pandora

On 5 August 2025, Pandora — the Danish jewelry brand and the world's largest by volume — confirmed that customer data had been stolen through a compromised third-party platform used to manage its customer relationships.

The intrusion did not target Pandora's own infrastructure directly. Attackers gained access to the company's cloud-based CRM (Salesforce), reportedly through social-engineering of staff — the same wave of attacks that hit a series of major consumer brands during the summer of 2025. From there they exported customer records before the access was cut off.

Data exposed was limited to common contact information:

  • Customer names
  • Email addresses
  • Birth dates

Pandora stressed that no passwords, payment-card numbers, or other sensitive financial data were accessed.

Pandora notified affected customers, ran an internal audit with outside experts, reinforced its security controls, and warned recipients to be wary of phishing messages that could exploit the leaked details. The company said the incident had been contained and reported no evidence that the data had been published or misused.

Sources

  1. cybernews.comhttps://cybernews.com/security/pandora-data-breach-cyberattack/
  2. zataz.comhttps://www.zataz.com/pandora-cyberattaque-enjeux-cybersecurite-luxe/
  3. bitdefender.comhttps://www.bitdefender.com/en-us/blog/hotforsecurity/jewelry-giant-pandora-confirms-data-breach-customer-names-and-email-addresses-compromised
  4. next.inkhttps://next.ink/brief_article/pandora-victime-dune-cyberattaque-seules-des-donnees-courantes-ont-ete-copiees/

Related incidents

Supply chainContained

Leak at Mango

In October 2025, Spanish fashion retailer Mango disclosed that an external marketing service provider was breached, exposing customers' first name, country, postal code, email address and phone number; no passwords or banking data were affected.

Victim
Mango
Supply chainContained

Leak at Alltricks

In August 2025, French online cycling and sports retailer Alltricks had its Sendinblue/Brevo email-marketing system compromised; attackers sent customers convincing phishing emails from the brand's own infrastructure, exposing names, email addresses and purchase history.

Victim
Alltricks
Supply chainContained

Leak at Afflelou

In April 2025, French optical and hearing-aid retailer Alain Afflelou disclosed a breach caused by a vulnerability at a third-party CRM provider, exposing the personal and commercial data of thousands of customers and prospects.

Victim
Afflelou