Louis Vuitton Data Breach Class Action, Did Hackers Steal Your Personal Information?
A class action lawsuit filed in January 2026 claims Louis Vuitton North America Inc. failed to protect customers’ personal data from a preventable cyberattack — even after its own software vendor and Google publicly warned the company it was a target. The hackers, a group called ShinyHunters, stole names, addresses, dates of birth, driver’s license numbers, and partial Social Security numbers from Louis Vuitton’s Salesforce database. Louis Vuitton did not notify affected U.S. customers until August 22, 2025 — more than two months after the breach occurred. No settlement has been reached. This is an active litigation case.
| Field | Detail |
| Settlement Amount | No settlement — active litigation |
| Claim Deadline | TBD |
| Who Qualifies | U.S. consumers whose PII was exposed in the Louis Vuitton data breach |
| Payout Per Person | TBD |
| Proof Required | TBD |
| Settlement Status | Litigation phase — filed January 2026 |
| Administrator | No administrator assigned yet |
| Official Website | TBD |
Where things stand right now: The lawsuit, Winkler, et al. v. Louis Vuitton North America Inc., Case No. 1:26-cv-00702, is pending in the U.S. District Court for the Southern District of New York. No class has been certified, no settlement has been proposed, and no claim deadlines exist yet. A separate related lawsuit was filed in November 2025 in the Northern District of California — that case is part of a broader consolidation of Salesforce breach lawsuits against multiple companies.
A Phone Call Is All It Took — How ShinyHunters Got Into Louis Vuitton’s Database
Louis Vuitton didn’t get hacked through a sophisticated zero-day exploit. According to the lawsuit and cybersecurity researchers, a hacker group called ShinyHunters simply called Louis Vuitton employees on the phone, pretended to be IT support, and talked them into giving up access to the company’s Salesforce system.
The attackers impersonated IT support staff in phone calls to targeted employees, persuading them to visit Salesforce’s connected app setup page and enter a “connection code” — which linked a malicious version of Salesforce’s Data Loader app to the target’s Salesforce environment. This technique is called voice phishing, or “vishing.” Once connected, the attackers exported the customer database and then sent extortion emails demanding payment.
The lawsuit claims the ShinyHunters cyberattack on Salesforce and its corporate customers, including Louis Vuitton, began in May 2025. Louis Vuitton reportedly became aware of the breach on July 2, 2025, but U.S. customers did not receive notification until August 22 — nearly seven weeks later. The lawsuit treats that delay as its own form of negligence.
Salesforce and Google Both Warned Louis Vuitton. The Lawsuit Says the Company Ignored Them.
This is the part of the case that the plaintiff’s attorneys argue makes Louis Vuitton’s liability straightforward: the company had explicit, public, advance warning that this attack was coming — and failed to act.
On March 12, 2025, Salesforce published a blog post for its customers titled “Protect Your Salesforce Environment from Social Engineering Threats,” identifying the specific types of voice phishing attacks that would soon be used against Louis Vuitton and outlining five specific security measures the company should take. Then on June 4, Google’s Threat Intelligence Group echoed the warning publicly, flagging the ShinyHunters campaign by name.
The lawsuit alleges Louis Vuitton did none of it. Plaintiff Adriana Winkler claims the company failed to enable multi-factor authentication, restrict network access, and activate security tools already available inside its own Salesforce Shield subscription. In the complaint’s words, Louis Vuitton’s failure to act on these explicit warnings made the breach “highly preventable.”
The ShinyHunters campaign ultimately compromised data from 91 organizations worldwide, with victims including Adidas, Cartier, Chanel, Tiffany & Co., Qantas Airways, Air France-KLM, and Allianz Life. Louis Vuitton was not an isolated target — but that, the lawsuit argues, makes the failure to prepare harder to excuse, not easier.
Related article: Toyota Highlander Seat Recall, 550,000 SUVs Have a Second-Row Seat That May Not Lock in a Crash
Your Data Was in That Database — Here’s Whether This Lawsuit Could Apply to You
The lawsuit seeks to represent a nationwide class of all U.S. consumers whose personal information was compromised in the Louis Vuitton breach. Since no class has been certified yet, the exact eligibility criteria are still being defined by the court. Based on what the complaint states, you may qualify if:
- You are a U.S. resident who shopped at Louis Vuitton and provided personal information
- Your data — including your name, address, date of birth, driver’s license number, or partial Social Security number — was stored in Louis Vuitton’s Salesforce database
- You received a breach notification letter from Louis Vuitton on or after August 22, 2025
- You can document any time, money, or effort you spent dealing with the breach’s aftermath (credit monitoring, identity theft response, etc.)
You do not need to have experienced identity theft or fraud to potentially qualify. The lawsuit argues that the exposure of personal data is itself an injury — one that puts victims at ongoing risk of misuse, including sale of their information on the dark web.
No Claim Form Exists Yet — Here’s What to Do Right Now
No settlement has been reached, so there is no claim form to file today. Here’s how to protect yourself and position yourself for any future claims:
- Locate your notification letter. If Louis Vuitton mailed or emailed you a breach notice after August 22, 2025, save it. This document is your primary proof that your data was involved.
- Check your credit reports. Request free reports from Equifax, Experian, and TransUnion at AnnualCreditReport.com. Look for accounts you didn’t open or inquiries you don’t recognize.
- Consider a credit freeze. A credit freeze is free, reversible, and the most effective tool against identity theft. You can place one at all three bureaus in about 15 minutes.
- Document your response costs. Keep records of any money or time you spent responding to this breach — credit monitoring services, identity theft protection subscriptions, or hours spent disputing fraudulent activity.
- Monitor the court docket. Track Case No. 1:26-cv-00702 in the Southern District of New York via PACER at pacer.uscourts.gov for updates on class certification and any proposed settlement.
- Consult an attorney if you suffered financial harm. If you experienced direct financial loss or identity theft tied to this breach, an individual claim may be worth pursuing separately.
Estimated time to take these steps: 20–30 minutes.
From the Hack to the Courtroom — The Timeline of the Louis Vuitton Breach
| Milestone | Date |
| ShinyHunters campaign begins | May 2025 |
| Salesforce publishes vishing warning to customers | March 12, 2025 |
| Google Threat Intelligence Group issues public warning | June 4, 2025 |
| Breach occurs at Louis Vuitton | June 7, 2025 |
| Louis Vuitton becomes aware of breach | July 2, 2025 |
| Louis Vuitton notifies U.S. customers | August 22, 2025 |
| First class action filed (N.D. California) | November 2025 |
| Winkler class action filed (S.D. New York) | January 2026 |
| Class Certification Hearing | TBD |
| Settlement Proposed | TBD |
| Claim Deadline | TBD |
| Expected Payment Date | TBD |
Frequently Asked Questions
I got a letter from Louis Vuitton about a data breach — is this the same breach?
Almost certainly yes. Louis Vuitton sent breach notification letters to affected U.S. customers beginning August 22, 2025, following a cyberattack that hit its Salesforce customer database in June 2025. The letter you received is your documentation that your personal information was involved.
What data did the hackers actually take from Louis Vuitton customers?
According to the lawsuit, the stolen data includes names, home addresses, dates of birth, driver’s license numbers, and partial Social Security numbers. This combination is exactly the type of data identity thieves use to open fraudulent accounts, apply for loans, or file false tax returns in someone else’s name.
Does this lawsuit cover Louis Vuitton shoppers outside California?
The January 2026 Winkler lawsuit filed in New York seeks to cover a nationwide class of all U.S. consumers affected by the breach — not just California residents. The earlier November 2025 lawsuit in California was limited to that state. If a nationwide class is certified, Louis Vuitton customers across the country could be included.
Do I need a lawyer to be part of this class action?
No. Class members typically do not need their own attorney. If the case reaches settlement and a class is certified, eligible consumers will receive instructions on how to file a claim directly. You only need an attorney if you want to pursue an individual lawsuit or opt out of any class settlement.
Is this lawsuit legitimate?
Yes. The case is Winkler, et al. v. Louis Vuitton North America Inc., Case No. 1:26-cv-00702, in the U.S. District Court for the Southern District of New York. It was filed by attorneys from four nationally recognized firms: Hausfeld LLP, Girard Sharp LLP, and Lieff Cabraser Heimann & Bernstein LLP. You can verify it on PACER.
When will I receive any payment?
Too early to say. The case must be certified as a class action, a settlement must be negotiated and approved by the court, and claims must be processed. Data breach class actions involving large consumer databases typically take one to three years from filing to payout, depending on how the parties resolve the case.
Will a settlement payment be taxable?
Compensation for out-of-pocket losses related to a data breach — like identity theft costs or credit monitoring expenses — is generally not taxable. However, tax treatment depends on how any settlement structures its damages. Consult a tax professional once a settlement is finalized.
What if I never received a breach notification letter from Louis Vuitton?
Not everyone whose data was exposed necessarily received a letter. If you shopped at Louis Vuitton and provided personal information before June 2025, you may still have been affected. Save any purchase records you have and monitor the case docket for class certification news that may define eligibility more broadly.
Sources
- Case filing: Winkler, et al. v. Louis Vuitton North America Inc., Case No. 1:26-cv-00702, U.S. District Court for the Southern District of New York (January 2026) — available via PACER: pacer.uscourts.gov
- Google Threat Intelligence Group (GTIG): ShinyHunters/UNC6040 Salesforce vishing campaign advisory, June 4, 2025 — cloud.google.com/blog/topics/threat-intelligence
- Federal Trade Commission — Free credit freeze information: consumer.ftc.gov
Last Updated: March 31, 2026
Disclaimer: This article is for informational purposes only and does not constitute legal advice. Legal claims and outcomes depend on specific facts and applicable law. For advice regarding a particular situation, consult a qualified attorney.
About the Author
Sarah Klein, JD, is a licensed attorney and legal content strategist with over 12 years of experience across civil, criminal, family, and regulatory law. At All About Lawyer, she covers a wide range of legal topics — from high-profile lawsuits and courtroom stories to state traffic laws and everyday legal questions — all with a focus on accuracy, clarity, and public understanding.
Her writing blends real legal insight with plain-English explanations, helping readers stay informed and legally aware.
Read more about Sarah