ShinyHunters Targets Salesforce Experience Cloud in New Attack
▼ Summary
– The ShinyHunters group is again targeting Salesforce customers by exploiting misconfigured guest user permissions, not a platform vulnerability.
– Attackers use a modified version of the open-source Aura Inspector tool to mass scan sites and query data through a public API without authentication.
– Salesforce advises customers to enforce “Least Privilege” access, disable public APIs where possible, and review guest user permissions to mitigate the threat.
– The stolen data, typically names and phone numbers, is used for social engineering and the group engages in cyber extortion to pressure victims.
– ShinyHunters claims to have compromised about 100 companies using this method since late 2025, having previously attacked via third-party integrations.
Salesforce customers are facing a renewed threat from the notorious ShinyHunters cybercrime group, which claims responsibility for a new wave of attacks. The company has confirmed an active campaign where malicious actors are not exploiting a software flaw but are instead manipulating a legitimate security tool. This attack specifically targets the Salesforce Experience Cloud by misusing a modified version of the open-source Aura Inspector tool. Originally developed by Mandiant for defensive auditing, the tool has been weaponized to scan public-facing sites and probe a specific API endpoint. If the guest user profile on a site is improperly configured with excessive permissions, attackers can query sensitive CRM data without needing to log in at all.
The core issue lies in access control misconfigurations. Salesforce emphasizes that the platform itself remains secure, but the risk emerges when organizations grant guest users more privileges than necessary. The company is urging all customers to immediately review and enforce a “Least Privilege” access model for guest user profiles. This means restricting access strictly to records that are explicitly required and shared. A critical recommendation is to disable public APIs for unauthenticated users, a move Salesforce describes as the single most impactful change to block this specific attack vector. Additionally, businesses should disable the self-registration feature if it is not essential for operations and ensure unauthenticated users cannot view or list internal user data.
Organizations should be vigilant for signs of compromise. Indicators can be found within Aura Event Monitoring logs and may include queries targeting objects that should not be public, unexpected traffic spikes from unfamiliar IP addresses, or access attempts occurring outside of normal business hours. Salesforce advises any customer who suspects their environment may have been affected to contact its Support team immediately. The data typically harvested in these incidents includes names and phone numbers, information that can fuel highly targeted social engineering and vishing campaigns.
The ShinyHunters group presents a direct extortion threat, often demanding payment to prevent the public leak of stolen data. The group claims to have been exploiting weak guest user configurations since late 2025 and adopted the modified AuraInspector tool in early 2026 to increase the scale of their operations. They state they have compromised approximately one hundred high-profile companies in this latest campaign. This is not the group’s first foray against Salesforce ecosystems; they have previously launched attacks through third-party integrations and connected apps. The situation underscores the continuous need for robust configuration management and proactive security reviews, even when using trusted enterprise platforms.
(Source: HelpNet Security)
