ShinyHunters Claims New Salesforce Data Theft Attacks

Salesforce is alerting its user base to a targeted campaign where cybercriminals are exploiting misconfigured guest user permissions within the Experience Cloud platform, potentially exposing sensitive data. The company emphasizes this stems from customer security settings, not a flaw in its core software. Meanwhile, the notorious ShinyHunters extortion group publicly claims it is behind these attacks, asserting it has compromised hundreds of organizations by exploiting and bypassing data query limitations.

The guidance from Salesforce focuses on securing the `/s/sfsites/aura` API endpoint on publicly accessible Experience Cloud sites. When a guest user profile is set up with excessive permissions, anonymous visitors can directly query internal CRM objects without any authentication. The company stresses that Salesforce itself remains secure, attributing the issue entirely to customer-configured guest user settings. To counter these threats, administrators are urged to audit all guest user permissions rigorously and adopt the principle of least privilege.

The most critical step customers can take is to disable guest access to public APIs and remove the API Enabled setting from the guest profile. Additional immediate actions recommended by Salesforce include setting organization-wide defaults to Private for external objects, turning off Portal and Site User Visibility to prevent user enumeration, and disabling self-registration features unless absolutely necessary. System administrators should also monitor Aura Event Monitoring logs for suspicious activity, such as unusual access patterns or queries against private objects, and ensure a designated Security Contact is in place.

In a statement to BleepingComputer, Mandiant Consulting confirmed that threat actors are misusing its open-source AuraInspector tool to automate scans for vulnerable Salesforce environments. Charles Carmakal, Mandiant’s chief technology officer, noted the firm is collaborating with Salesforce to provide detection rules, clarifying that scanning activity in logs does not necessarily indicate a successful breach.

ShinyHunters, in posts on its data leak site, claims responsibility for these attacks. The group told BleepingComputer it began compromising companies with insecure Experience Cloud configurations in September 2025, using internet scans to identify vulnerable instances. Initially, a limitation in Salesforce’s GraphQL API restricted queries to 2,000 records at a time, but the hackers say they bypassed this using the `sortBy` parameter. After Mandiant released AuraInspector in January to help admins, ShinyHunters modified the tool for its own reconnaissance efforts, a tactic Salesforce’s advisory confirms.

The threat actors then developed a custom data theft tool, which BleepingComputer learned uses a distinctive user agent string: `Anthropic/RapeForceV2.01.39 (AGENTIC)`. This tool’s name bears similarity to the “RapeFlake” tool linked to earlier Snowflake data theft campaigns. ShinyHunters claims that after Salesforce addressed the `sortBy` bypass method, it discovered a new technique to circumvent the 2,000-record limit and has been using it discreetly. Furthermore, the group alleges it has now found a method to steal data from Aura instances even when they are properly configured, though BleepingComputer could not independently verify this claim.

When contacted, Salesforce reiterated its position that there is no vulnerability in its platform. The hackers suggest that customers can protect themselves by disabling “Public Access” to an instance, but they acknowledge this action also eliminates guest access, effectively turning a public website into a private portal. For its ongoing attacks, ShinyHunters says it is now using a user agent that mimics a standard web browser: `Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 Chrome/120.0.0.0 Safari/537.36`.

(Source: Bleeping Computer)