Introduction

There is a persistent misconception in cybersecurity response - that a breach lacking credential theft or malware means limited risk. It is a false sense of containment that continues to cost organisations long after the threat actor has moved on.

In early July 2025, Louis Vuitton disclosed a breach affecting customers across multiple countries. The company clarified that no passwords or payment data were compromised – one could interpret this as there may have been a perception internally that the fallout would be minimal.

That assumption did not hold.

Within weeks, Dvuln identified a phishing campaign targeting real Louis Vuitton customers with a fabricated NFT drop invitation.

The campaign referenced a known artist, reused publicly available creative assets, and was credible enough to bypass the mental defences of brand-loyal recipients. This post-breach operation leveraged customer identity data, historical brand associations, and search-indexed content to create a phishing narrative that may have fooled even scam-savvy users.

This report outlines how it unfolded, why it worked, and what security and brand leaders need to take from it.

Background

On 2 July 2025, Louis Vuitton notified affected customers of a data breach. The incident impacted users in the United Kingdom, South Korea, Turkey, Italy, and Sweden. According to customer breach letters and subsequent media reports, the following data was exfiltrated:

• Full name

• Email address

• Mobile number

• Postal address

• Full date of birth

• Purchase history

The breach is believed to be linked to ShinyHunters, a well-known data extortion group responsible for similar attacks against Dior, Ticketmaster, Santander, AT&T, and Adidas.

Louis Vuitton’s public messaging focused on two key points: the breach was contained, and no passwords or payment information were accessed.

In our opinion, the statement was technically accurate but operationally incomplete.

The core risk in this case stemmed not from credential loss, but from high-fidelity identity data being matched to purchase history and reused against customers in a targeted phishing operation.

The NFT Scam - Exploiting Brand Trust and Searchable History

Between July 15 and July 21, multiple Reddit users began reporting receipt of a phishing email impersonating a Louis Vuitton NFT drop. The message claimed to promote a digital release in collaboration with digital artist Clara Bacou.

This scam did not rely on shock or urgency. Instead, it emulated authentic Louis Vuitton communications, borrowing the tone, formatting, and artwork associated with prior product campaigns. It reused real creative assets published by Clara Bacou in 2021 during a speculative concept release with Louis Vuitton.

Because this original artwork remains indexed online and attached to Clara’s name and the Louis Vuitton brand, any customer performing a basic credibility check would find confirmation that the collaboration once existed.

This is precisely the kind of phishing tactic that succeeds not through technical bypass, but through brand familiarity and subtle detail.

Scam Verified, But Quietly

Multiple Reddit posts explicitly describe the NFT email scam:

• Reddit Report – NFT Scam Email

• Additional Reddit Report – NFT Drop Targeting

• Support Acknowledgement – Scam Verified

One customer directly stated that Louis Vuitton support confirmed the email was a scam. Another confirmed the same creative was reused across scam attempts. The earliest victim posts appear just over two weeks after the breach was disclosed - indicating quick operationalisation.

Yet, Louis Vuitton has not issued a public customer-wide warning about this specific campaign.

Their current public messaging includes the following excerpt:

“While we have no evidence that your data has been misused to date, phishing attempts, fraud attempts, or unauthorized use of your information may occur. You should never disclose your Louis Vuitton password to anyone, and you can rest assured that Louis Vuitton will never ask you to disclose it.”

The above statement lacks alignment with customer-reported evidence that phishing activity did in fact occur, and was acknowledged internally.

Artist Impersonation Confirmed - Clara Bacou Speaks

Dvuln contacted Clara Bacou directly to verify whether she was involved in a new Louis Vuitton NFT campaign. Clara confirmed:

“This is fake!”
“I had a few people notify me about it recently now but I wasn’t sure what to do or how to stop it?”

Clara’s artwork, originally published during Louis Vuitton’s 200th anniversary, became the core visual reused in the scam. While never part of a commercial NFT drop, the prior public association between Clara and the brand was enough to anchor the phishing message with legitimacy.

This demonstrates a broader threat model - attackers reusing legitimate legacy creative from public campaigns to build convincing pretexts. Brands rarely audit their own historic digital footprint for weaponisable content, but adversaries do.

Threat Tradecraft

The phishing campaign shows hallmarks of an adversary operating with discipline and a strong understanding of consumer trust mechanics:

• Appeared to be only targeted at actual LV customers (indicating use of breach data)

• Reused artwork tied to real artist-brand collaborations

• Avoided payloads or malware; trusted the narrative alone

• Matched brand tone, structure, and product framing

• Appeared within a short window of the breach disclosure

• Victims confirmed via Reddit that the scam email was credible

The operation shows restraint and precision. It did not attempt to steal passwords or install malware. It created an illusion of legitimacy - just enough to redirect customers into a secondary funnel (not yet attributed).

Governance and Data Ethics

From a cybersecurity and retail data governance standpoint, several issues require reflection:

1. Excessive Identity Retention
   In 2025, the justification for storing plain-text full date of birth tied to a name, address, and transaction history is increasingly weak. Tokenisation and pseudonymisation options are widely available and standard practice among digitally mature firms.
   
   

2. Lack of Public Guidance
   Internal acknowledgement of phishing should trigger external disclosure. The absence of a public scam advisory suggests legal and reputational containment took priority over customer risk reduction.
   
   

3. Insecure Creative Legacy
   Brands often publish speculative, experimental, or historical creative works with no tracking or expiry. Once published, this content can become attack material years later. Legacy art is now a social engineering asset.

Lessons for Defenders

Too many brands still equate absence of credential theft with safety. This is a flawed metric.

In high-trust consumer environments, customer relationships are forged through emotional investment in brand narrative, exclusivity, and identity. Phishing in this context doesn’t need to look suspicious. It just needs to look familiar.

Attackers are now weaponising:

• Old creative

• Real brand tone

• Artist collaborations

• Breached customer identity

• Weak governance procedures post-breach

In many cases, attackers are more creative than defenders. And the biggest organisational blind spot is often the assumption that breach response is complete once a notification email is sent.

Recommendations

For Enterprises

• Publicly confirm and document known scam campaigns tied to a breach

• Reassess data collection practices, especially around birthdate and full identity linkage

• Provide timely proactive alerts when internal support teams confirm phishing campaigns

• Extend breach response to include phishing hunting and threat narrative mapping

For Regulators

• Introduce mandatory reporting requirements for post-breach phishing incidents

• Require justification and documentation for retaining sensitive PII beyond fulfilment

• Consider plain-text DOB storage as sensitive under GDPR-equivalent schemes

Closing Thoughts

This campaign did not require malware. It did not require login pages. It used real data, real art, and real brand material to deceive real customers.

Louis Vuitton’s internal teams allegedly acknowledged the phishing attempts. The public was never told.

As defenders, we can no longer afford to define breach severity by whether or not passwords were lost.

Passwords can be reset.
Customer trust - not so easy.

Dvuln is continuing to monitor for phishing campaigns and creative-based impersonation linked to breach datasets. If your brand operates in a high-trust space, now is the time to think beyond the firewall and start thinking like your adversary.