Kering, the luxury and fashion giant, has officially announced that a data breach was perpetrated against customers of its leading brands, including Gucci, Balenciaga, and Alexander McQueen. ShinyHunters, the same threat actors we recently interviewed, managed to access users’ private information.
The breach, detected in June but occurring in April, exposed personally identifiable information (PII) of approximately 7.4 million unique email addresses.
No data regulated by the PCI-DSS standard, such as credit card numbers or bank account details, was exfiltrated. The files instead include names, email addresses, phone numbers, shipping addresses, and a “Total Sales” field indicating each customer’s cumulative spending.
The BBC reports that the attacker, who identified himself as Shiny Hunters, claimed to have negotiated a ransom in Bitcoin (BTC) with Kering starting in June via Telegram. Kering denies any ransom negotiations and confirms that it is adhering to law enforcement guidelines that require refusing ransom payments.
According to Kering’s statement, the attacker gained temporary access unauthorized access via compromised internal credentials, likely collected through a phishing campaign targeting Salesforce SSO portals. The stolen dataset contains:
Analysis of a proof-of-concept sample revealed spending ranges from $10,000 to $86,000 per person, increasing concerns about spear-phishing. Kering has notified the relevant data protection authorities pursuant to Article 33 of the GDPR and communicated directly with affected customers via email.
Similarly, Google’s Threat Analysis Group attributes a similar campaign, identified as UNC6040, to Shiny Hunters, noting the exploitation of stolen API tokens and the misuse of OAuth scopes to harvest credentials from other large companies.
All customers are advised to reset their passwords and review their account recovery settings for all email and e-commerce profiles. Being alert to unsolicited calls or emails requesting urgent action can help prevent subsequent fraud.
Follow us on Google News to receive daily updates on cybersecurity. Contact us if you would like to report news, insights or content for publication.
