ShinyHunters Claims Mass Data Theft From 400 Firms via

ShinyHunters Claims 400 Victims in New Salesforce Aura Campaign

ShinyHunters, one of the most prolific data extortion groups in the cybercrime ecosystem, has claimed responsibility for an ongoing large-scale campaign targeting organizations using Salesforce Experience Cloud. The group claims to have compromised approximately 400 companies — including 100 high-profile firms — by exploiting a misconfiguration in the Salesforce Aura framework that allows unauthenticated guest users to query CRM data without logging in.

Salesforce has acknowledged that customers are being targeted and is warning organizations to review their Experience Cloud configurations, but maintains that the issue stems from customer misconfiguration rather than a platform vulnerability.

Incident Details

Technical Details

The Vulnerable Endpoint

Attackers are targeting the /s/sfsites/aura API endpoint on publicly accessible Salesforce Experience Cloud (Community) sites. This endpoint is part of the Lightning Aura Components framework, which powers dynamic Experience Cloud pages.

How Misconfiguration Creates Risk

Salesforce Experience Cloud sites use a dedicated "guest user profile" that allows unauthenticated visitors to view public pages, submit forms, or access help content without logging in. This is an intentional feature for public-facing portals. However, when administrators grant the guest user profile excessive permissions — particularly access to Salesforce CRM objects — those objects become queryable via the Aura API without any authentication.

Normal behavior:
  Guest user → public FAQs and forms only
 
Misconfigured behavior:
  Guest user → direct API queries to CRM objects
             → names, phone numbers, account records, contacts
             → all exposed without login

ShinyHunters' Modified AuraInspector

When Mandiant released AuraInspector in January 2026 — an open-source tool designed to help Salesforce administrators identify access control misconfigurations — ShinyHunters claims they immediately weaponized it. The group says they modified the auditing tool to perform large-scale automated scanning of publicly accessible Salesforce instances, harvesting exposed CRM data at scale.

Data Stolen and Downstream Use

ShinyHunters has explicitly stated that harvested names and phone numbers are being used to fuel follow-on social engineering attacks, including voice phishing (vishing) campaigns against targeted individuals.

Impact Assessment

Recommendations

Immediate Actions for Salesforce Administrators

1. Audit guest user profile permissions in all Experience Cloud sites immediately
2. Review object access — ensure the guest user profile cannot access Contact, Lead, Account, or other CRM objects
3. Run Salesforce's Health Check tool in Setup to identify misconfigured sharing settings
4. Use the Salesforce Security Center to review all Experience Cloud site configurations

Identifying Misconfigured Sites

In Salesforce Setup:
1. Navigate to: Experience Workspaces > [Your Site] > Administration > Members
2. Check guest user profile permissions under Setup > Profiles > Guest User Profile
3. Review object-level security (OLS) and field-level security (FLS) for guest profile
4. Ensure "Guest Access to Apex Classes" is restricted
5. Check Sharing Settings — no CRM objects should use "Public Read Only" or higher

Detecting Exploitation Attempts

• Monitor API logs for high-volume requests to /s/sfsites/aura endpoints
• Alert on unusual guest user activity — large numbers of object queries from unauthenticated sessions
• Review Salesforce Shield Event Monitoring for anomalous data access patterns
• Check for AuraInspector signatures in user-agent strings in API request logs

If Your Organization Was Affected

1. Revoke guest user object permissions immediately to stop ongoing data collection
2. Inventory what data was exposed — review which CRM objects were accessible
3. Assess notification obligations under applicable privacy regulations
4. Notify affected customers if their personal data was exposed
5. Report to Salesforce via their security reporting channel

Key Takeaways

1. Misconfiguration, not vulnerabilities — this campaign exploits legitimate platform features that are incorrectly configured, highlighting why security hardening is as important as patching.
2. ShinyHunters continues to evolve — the group rapidly weaponized a defensive audit tool within weeks of its release, demonstrating operational agility.
3. Scale is staggering — 400 claimed victims across a single campaign reinforces the risk of misconfigured SaaS platforms as a systemic attack surface.
4. Stolen CRM data powers future attacks — the real danger isn't just the initial data theft but the waves of targeted phishing and vishing that follow.
5. Organizations using public-facing Salesforce Experience Cloud sites must urgently audit guest user profiles and object permissions.
6. Defensive tools can be weaponized — the rapid adaptation of AuraInspector is a reminder that published security research and tools carry dual-use risk.

Sources

• BleepingComputer — ShinyHunters Claims Ongoing Salesforce Aura Data Theft Attacks
• The Register — ShinyHunters Claims Yet Another Salesforce Customers Breach
• CyberInsider — ShinyHunters Claims Hundreds of Victims in New Salesforce Aura Campaign
• Mitiga — ShinyHunters and UNC6395: Inside the Salesforce and Salesloft Breaches