ShinyHunters claims more high-profile victims in latest Salesforce customers data heist
Summary
ShinyHunters says it has stolen data from roughly 100 high-profile companies and nearly 400 websites in a campaign that targeted public-facing Salesforce Experience Cloud sites. The group allegedly used a modified version of Mandiant’s open-source AuraInspector scanner to find misconfigured guest user profiles and exfiltrate Salesforce CRM records.
Salesforce says the root cause is customer misconfiguration — guest user profiles granted overly broad permissions — not an inherent platform vulnerability. The company has issued guidance for customers to audit guest access and remove API permissions for guest users. Mandiant is working with Salesforce to supply telemetry and detection rules to help mitigate the threat.
Key Points
- ShinyHunters claims data from ~100 high-profile firms and ~400 websites, naming Snowflake, Okta, LastPass, Salesforce, Sony and AMD among alleged victims.
- Attackers targeted Experience Cloud sites where guest user profiles were misconfigured with excessive permissions, allowing unauthenticated access to CRM objects.
- The group modified Mandiant’s AuraInspector tool to perform mass scanning and to bypass guest-user limits to exfiltrate object records.
- Stolen fields reportedly include names and phone numbers used for follow-on social engineering and vishing campaigns.
- Salesforce advises customers to audit guest user permissions, set external access to private, uncheck “Allow guest users to access public APIs” and disable “API Enabled” for guest profiles.
- Mandiant notes that scanning activity alone does not prove a compromise and is collaborating with Salesforce on detection and mitigation.
Context and relevance
This incident is important because many organisations expose Experience Cloud portals as public entry points to CRM data. Misconfiguration — rather than exotic zero-days — is being weaponised at scale, letting attackers automate discovery and data extraction across many tenants.
If you run or administer Salesforce Experience Cloud, this is directly relevant: audit guest-user permissions now, apply least-privilege settings, and follow Salesforce’s advisory to reduce the risk of data leakage and downstream phishing fraud.
Why should I read this?
Because if your organisation uses Salesforce, this could bite you hard. The crooks are scanning and scraping sites en masse, and a tiny misconfig slip can mean your customers’ data ends up in criminal hands. Read the fixes Salesforce recommends and patch up guest access — we’ve saved you the trouble of reading the raw thread and flagged the actions you should take immediately.