ShinyHunters Claims More High-Profile Victims in Latest Salesforce Customers Data Heist

Salesforce Experience Cloud sites act as public portals into a company’s CRM, relying on a specially crafted guest‑user profile to serve unauthenticated visitors. When those profiles are granted excessive object and field permissions, they become a low‑effort gateway for attackers to query and download sensitive records without logging in. This architectural convenience, while valuable for customer self‑service, creates a blind spot that traditional vulnerability scanners often miss, making it an attractive target for threat actors seeking large‑scale data harvests.

ShinyHunters, an extortion‑focused group, has repurposed Mandiant’s AuraInspector scanning tool, extending its capabilities to bypass the default 2,000‑record limit for guest users and automate mass exfiltration. By compromising roughly 100 high‑profile organizations—including Salesforce, Snowflake, Okta, and AMD—the crew can harvest names, phone numbers, and other personal identifiers that feed downstream phishing and voice‑phishing campaigns. The group’s public claims underscore a shift toward commoditizing misconfiguration exploits, turning routine cloud‑admin oversights into profitable data‑theft operations.

In response, Salesforce urges customers to adopt a least‑privilege model for guest users, disable public API access, and set external object sharing to private. Security teams should audit guest‑user permissions regularly, monitor for anomalous AuraInspector‑style scanning activity, and enforce strict API governance. The broader lesson for the industry is clear: as SaaS platforms proliferate, misconfiguration risk management must become a core component of cloud security strategies, lest organizations continue to expose valuable data to opportunistic adversaries.