While neither the third party that was breached nor the threat actor were named by Pandora, BleepingComputer has identified the third-party as Salesforce, as part of its wider investigation into a range of Salesforce-related data breaches, which have been going since at least January 2025.