Leak at Pandora
In August 2025, Danish jewelry maker Pandora disclosed a breach of a third-party CRM platform (Salesforce) in which attackers stole customer contact data — names, email addresses and birth dates — while stating no passwords or payment data were taken.
- Victim
- Pandora
On 5 August 2025, Pandora — the Danish jewelry brand and the world's largest by volume — confirmed that customer data had been stolen through a compromised third-party platform used to manage its customer relationships.
The intrusion did not target Pandora's own infrastructure directly. Attackers gained access to the company's cloud-based CRM (Salesforce), reportedly through social-engineering of staff — the same wave of attacks that hit a series of major consumer brands during the summer of 2025. From there they exported customer records before the access was cut off.
Data exposed was limited to common contact information:
- Customer names
- Email addresses
- Birth dates
Pandora stressed that no passwords, payment-card numbers, or other sensitive financial data were accessed.
Pandora notified affected customers, ran an internal audit with outside experts, reinforced its security controls, and warned recipients to be wary of phishing messages that could exploit the leaked details. The company said the incident had been contained and reported no evidence that the data had been published or misused.
Sources
- cybernews.comhttps://cybernews.com/security/pandora-data-breach-cyberattack/
- zataz.comhttps://www.zataz.com/pandora-cyberattaque-enjeux-cybersecurite-luxe/
- bitdefender.comhttps://www.bitdefender.com/en-us/blog/hotforsecurity/jewelry-giant-pandora-confirms-data-breach-customer-names-and-email-addresses-compromised
- next.inkhttps://next.ink/brief_article/pandora-victime-dune-cyberattaque-seules-des-donnees-courantes-ont-ete-copiees/