Salesforce customers have, once again, been targeted by the ShinyHunters group – or, at least, it’s what the group claims.
Attackers modified and abused benign tool
On Saturday, Saleforce confirmed that its security team has identified an attack campaign by unnamed malicious actors looking to access customers’ data.
The attackers are not leveraging a vulnerability in the Salesforce platform, the company said, but are using a modified version of the open-source tool Aura Inspector – a tool originally developed by Mandiant – to:
- Mass scan public-facing Experience Cloud sites
- Probe their /s/sfsites/aura API endpoint
- If the guest user profile has excessive permissions, query Salesforce CRM objects without logging in.
Salesforce urged customers to review their guest user permissions and enforce a “Least Privilege” access model by restricting access for guest users to needed records only and to explicitly shared records only.
Also, to make necessary changes so that unauthenticated users can’t query data through API endpoints and can’t view or enumerate internal users. Finally, the company said, they should disable the self-registration option (if it’s not required).
“[Disabling public APIs] is the highest-impact single change you can make. It closes the Aura endpoint to unauthenticated API queries, which is the exact vector used in this campaign,” the company stated.
Salesforce also advised customers to notify the company’s Support team if they believe or suspect their environment has been affected. Possible indicators of compromise can be found in customers’ Aura Event Monitoring logs, and include queries targeting objects not intended to be public, unexpected spikes from unfamiliar IP addresses, or access outside normal business hours.
ShinyHunters: An old Salesforce foe
Salesforce says that the data harvested is these attacks is usually names and phone numbers, which can be used for follow-on targeted social engineering and vishing campaigns.
But a more immediate problem for the potentially affected companies is ShinyHunters’ usual course of action: cyber extortion, i.e., “pay not to get your stolen data leaked”.
The group claimed the breach on their data leak site and told Bleeping Computer that they’ve been compromising companies with insecure Experience Cloud access control configurations for guest users since September 2025, but modified and started using the AuraInspector tool in January 2026, when it was released “to help defenders identify and audit access control misconfigurations within the Salesforce Aura framework.”
The group has previously targeted Salesforce customers via third-party integrations (Salesloft / Drift) and connected apps (Gainsight).
ShinyHunters stated that they’ve stolen data from around 100 high-profile companies this time around.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
