ShinyHunters Hackers Launch Massive Salesforce Attack

Salesforce is urging customers of its Experience Cloud platform to immediately review their website security settings following a widespread data theft campaign. The software-as-a-service leader has observed a significant surge in attacks where threat actors are exploiting overly permissive guest user configurations on publicly accessible sites. This situation highlights a critical security gap, not in the Salesforce platform itself, but in how some organizations have set up their external-facing portals, potentially exposing sensitive data to unauthorized access.

The campaign is being executed by the notorious ShinyHunters hacking group, which has publicly claimed responsibility. The group asserts it has successfully compromised data from “several hundreds” of companies, including approximately 400 websites and 100 high-profile organizations. To carry out these intrusions, the attackers are using a customized version of an open-source security tool, originally developed by Mandiant, known as Aura Inspector. This tool allows for mass scanning of a specific Salesforce API endpoint to identify and extract data from misconfigured CRM objects that are unintentionally exposed.

According to Salesforce, the stolen information, which often includes personal details like names and phone numbers, is frequently weaponized for sophisticated follow-up attacks. This data becomes fuel for targeted social engineering and vishing (voice phishing) campaigns, enabling hackers to gain deeper network access and steal even more substantial datasets. This pattern of using initial data theft to enable broader network intrusion is a hallmark of advanced persistent threat groups.

Salesforce has emphasized that this incident stems from a “customer-configured guest user setting, not a platform security flaw.” The core issue is that some organizations have granted public guest users access to objects and data fields that should remain private. This misconfiguration creates a vulnerability that malicious actors can systematically discover and exploit.

In response, Salesforce has issued a detailed set of urgent recommendations for all Experience Cloud customers utilizing guest user profiles. The primary directive is to conduct a thorough audit of guest user permissions and enforce a strict least privilege access model. This means profiles should be restricted to the absolute minimum objects and fields required for the site’s basic functionality.

Additional critical steps include ensuring the Default External Access for all objects is set to “private” and adjusting specific site and profile settings. Customers should uncheck “Allow guest users to access public APIs” in site settings and remove “API Enabled” from the guest user profile’s System Permissions. Furthermore, it is advised to disable “Portal User Visibility” and “Site User Visibility” in Sharing Settings to prevent guest users from enumerating internal staff members. For sites that do not require visitor self-registration, that feature should be disabled. Finally, organizations should proactively review their Aura Event Monitoring logs for any unusual or suspicious access patterns that might indicate a breach.

This is not ShinyHunters’ first foray against Salesforce environments. The group has a documented history of targeting the platform’s customers, having executed connected campaigns throughout the previous year. This latest attack underscores the persistent threat posed by misconfigured cloud services and the importance of continuous security posture management beyond the vendor’s default settings.

(Source: InfoSecurity Magazine)