By REBECCA RUTHERFORD
Los Alamos
For the Los Alamos Daily Post

Pandora, a global jewelry brand, confirmed last week that it was victim to a cyber attack that allowed unauthorized access to some customer information.

Customers were informed by Pandora directly via email, which explained that the breach occurred through a third-party platform it uses, not its internal systems.

Bleeping Computer confirmed the third-party platform was Salesforce, part of an ongoing trend since at least January 2025, targeting employees and help desks on third-party platforms via social engineering attacks to exfiltrate customer data.

Image of email from Pandora to customers about data breach from Bleeping Computer. Courtesy photo

According to the email, no financial or highly sensitive information was compromised; however, the breach still affected personal data, including names, phone numbers, and email addresses. Pandora has attempted to reassure customers that the attack is under control and that its security systems have since been upgraded and reinforced.

The company made it clear that passwords, credit card details, and similar sensitive information were not part of the breach. That said, it is my feeling that even limited personal data can be used as a gateway for more targeted scams. If you’ve shopped at Pandora, you should be aware of the attack and its potential impacts on you.

What could an attacker do with this data? Their emails and other data could be used to craft high-quality phishing emails that would be very hard to detect. If any Pandora data were leaked, it could be used to mimic email addresses and formatting that would make these emails even more authentic-looking. Pandora urged users concerned about their security to enable two-factor authentication on accounts linked to the exposed email address. The company also advised customers to watch for suspicious emails mimicking the company. As a precaution, they recommend avoiding clicking links or downloading attachments from unknown sources, always good advice.

Even though the company said passwords were not exposed, I’d recommend changing your password and any other passwords used by the affected email address with any other accounts. Never reuse a password; this is extremely bad cyber hygiene. If your password gets cracked in one place, it is very simple for attackers to search the internet and test known password/email combos on multiple sites.

Why attack a third-party platform like Salesforce instead of the company directly? It’s likely going to be a lot easier to get into their databases indirectly via a third-party vendor. You don’t need much for a potential data breach, and then this data can be used to extort money from the companies with the threat of a data breach, and can also be used for potential phishing attacks against customers. Yikes!

If you or a loved one has shopped at Pandora, be aware of this data breach, and that you could potentially be a target for phishing or similar attacks (vishing, smishing, etc.). Stay aware, be safe online, and don’t click that link!

Cybersecurity meme