7.4 million luxury customers' data stolen — Gucci, Balenciaga, McQueen hit

Kering — parent of Gucci, Balenciaga, Alexander McQueen, Saint Laurent, and Brioni — confirmed hackers stole data of approximately 7.4 million customers. Names, emails, phone numbers, addresses. No credit cards — but contact details alone are a goldmine for targeted phishing.

What happened

Detected in June, occurred in April. Attackers accessed Kering's Salesforce systems. Shiny Hunters claimed responsibility. Same Salesforce attack pattern from August — now hitting luxury retail.

The Salesforce connection

Kering was breached through Salesforce. Same platform Google, Proofpoint, and Tenable were compromised through. Not a product flaw — an OAuth trust and access management problem.

What to do

1. Audit Salesforce integrations. Every OAuth token. Revocate unused.
2. Segment customer data. Restrict by role, log every query.
3. Assume your data is public. Design security around that reality.