Salesforce has raised alarms regarding a new data theft campaign orchestrated by the infamous ShinyHunters cybercrime group.

Since mid-2025, ShinyHunters has been aggressively targeting Salesforce instances across various organizations through social engineering and other deceptive tactics.

The breaches disclosed last year led to millions of data records being compromised, with the ShinyHunters group claiming responsibility for the attacks.

Salesforce has clarified that these data breaches stem from phishing, misuse of third-party integrations, or misconfigurations, and not from vulnerabilities within its own products or systems.

In a blog post dated March 7, Salesforce cautioned customers about ongoing attacks that exploit misconfigurations or publicly accessible sites.

“We have identified a campaign in which malicious actors are exploiting customers’ overly permissive Experience Cloud guest user configurations to potentially access more data than intended by the organizations,” Salesforce stated.

“It is crucial to understand that Salesforce remains secure and that these issues do not arise from any inherent vulnerabilities in our platform. Our ongoing investigation confirms that this activity is linked to customer-configured guest user settings, not a fault within our security framework,” the company added.

The organization noted that the threat actor has manipulated a modified version of an open-source tool named Aura Inspector, originally developed by Mandiant for auditing Salesforce Aura instances and identifying data exposures.

“While the original Aura Inspector is designed to identify vulnerable objects by probing specific API endpoints exposed by these sites (notably the /s/sfsites/aura endpoint), the actor has created a custom version of the tool that goes beyond mere identification. It can extract data by exploiting overly permissive guest user configurations,” Salesforce explained.

Although Salesforce has not explicitly named the threat actor, the ShinyHunters group has claimed responsibility for the attack, declaring that they have targeted “several hundreds of companies” as part of what they are calling the 'Salesforce Aura Campaign.'

The cybercriminal group has threatened to publish the stolen information from the targeted companies’ Salesforce instances if they fail to meet their extortion demands.

Related Developments:

• Wynn Resorts has confirmed a data breach after hackers removed sensitive information from a leak site.
• ShinyHunters-branded extortion activities have expanded and escalated in recent months.
• Hackers are extorting Salesforce after successfully stealing data from numerous customers.

The implications of these incidents are significant, as they highlight the vulnerabilities that organizations may face due to misconfigurations and the importance of robust security measures. Salesforce's proactive communication about the situation underscores their commitment to addressing potential risks and ensuring the security of their platform.

In light of these events, it is crucial for organizations using Salesforce to review their configurations and ensure they adhere to best practices regarding user permissions and data access controls.

As the situation develops, Salesforce continues to monitor the threat landscape and work towards providing guidance to their customers to mitigate risks associated with such cyberattacks.

Source: SecurityWeek News