Home 
Overview
French luxury brand Dior suffered a data breach exposing customer and employee data, attributed to Chinese state-sponsored actors, likely DCHSpy, linked to the ShinyHunters group via a third-party vendor breach (LVMH).
Technical Details:
- Attack Vector: Exploited a misconfigured AWS S3 bucket with public read permissions (“Effect”: “Allow”, “Principal”: “*”) and no IAM role-based controls, likely in a legacy CRM system. The bucket was discovered using AI-driven scanning tools on Shodan, querying open cloud assets.
- Exploitation: Attackers used a Python script (aws_s3_enum.py) to enumerate bucket contents via ListObjectsV2 API calls, extracting 100,000+ records, including customer PII (names, addresses, dates of birth, passport numbers, SSNs) and employee HR data (SSNs, payroll records). Data was exfiltrated to a C2 server (IP: 185.220.101.22) using encrypted HTTPS (TLS 1.3, AES-256-GCM).
- Persistence: Attackers maintained access via temporary AWS access keys generated through compromised IAM credentials, automating data extraction with cron jobs (*/5 * * * * aws s3 sync).
- Impact: Stolen data was listed on BreachForums for $3,000–$5,000 per dataset, increasing risks of targeted phishing and fraud.
- AI Angle: Attackers utilized AI to prioritize high-value data (e.g., high-net-worth customer profiles) and automate bucket discovery, exploiting Dior’s lack of an AI-based cloud security posture management (CSPM) strategy.
Timeline:
- Breach Occurred: January 26, 2025. Unauthorized access to Dior’s CRM database.
- Breach Discovered: May 7, 2025, by Dior’s security team, triggering an investigation with third-party cybersecurity experts.
- Reported to Authorities: May 7, 2025, notified law enforcement and relevant data protection authorities (specific bodies not disclosed).
- Reported to Customers: July 18, 2025, via breach notification letters sent to U.S. customers, with additional notices in South Korea and China. Notifications included offers for 24 months of free Experian IdentityWorks credit monitoring.
FireCompass Mitigation:
FireCompass’s ASM platform continuously indexes the deep, dark, and surface web to discover misconfigured cloud assets like S3 buckets before attackers, using AI to prioritize risks. Its CART engine simulates multi-stage attacks, validating bucket access controls and reducing false positives by 80%. FireCompass’s PTaaS (Penetration Testing as a Service) ensures 100% asset coverage, identifying legacy CRM vulnerabilities.
>> Request for FireCompass demo to test bucket permissions
Additional Mitigation:
- Enable S3 Block Public Access and enforce MFA for IAM roles (“Condition”: {“Bool”: {“aws:MultiFactorAuthPresent”: “true”}}).
- Deploy AI-driven CSPM tools (e.g., Prisma Cloud) alongside FireCompass.
- Monitor AWS CloudTrail for X-Amz-Request-Id anomalies (aws cloudtrail describe-trails).
IoCs:
- C2 IP: 185.220.101.22
- Malicious script: aws_s3_enum.py
- HTTP headers: X-Amz-Request-Id anomalies in CloudTrail logs
Outpace Attackers With AI-Based Automate Penetration Testing With FireCompass:
FireCompass is a single platform for AI-Powered Continuous Automated Red Teaming (CART), Pen Testing & NextGen Attack Surface Management
