ShinyHunters, the hacking group behind multiple high-profile data breaches over recent years, claims it has stolen data from around 100 major companies by exploiting misconfigurations in Salesforce’s Experience Cloud platform.
According to reports in The Register, the group has accessed information from roughly 400 websites and organisations, including Snowflake, Okta, LastPass, Sony, AMD and Salesforce itself.
Salesforce has confirmed that a “known threat actor group” is actively scanning public-facing Experience Cloud sites, portals that serve as customer, partner and employee interfaces to CRM data, and subsequently extracting data due to overly permissive configurations.
The company emphasised that the issue lies with customer-defined guest user profiles rather than an inherent flaw in the core Salesforce platform.
Experience Cloud sites can be configured to allow a guest user profile to view public pages and submit forms without requiring authentication.
If these guest profiles are granted excessive permissions, unauthorised visitors can potentially query Salesforce CRM objects and extract information that was not intended to be public.
How The Campaign Operates
Salesforce has said that attackers are using a modified version of AuraInspector, an open-source tool originally developed by incident response firm Mandiant to help administrators detect misconfigurations in Experience Cloud Aura endpoints.
The modified variant reportedly enables mass scanning of public-facing Experience Cloud sites and can extract data if guest user permissions are too broad.
Salesforce’s advisory notes that the issue is not due to a security vulnerability in the platform itself, but rather in how some customers have configured guest user settings.
Misconfigured guest profiles with excessive API access or object permissions can allow unauthenticated users to query and retrieve CRM records.
Customers have been urged to audit guest user permissions, set default external access to “private”, disable guest access to public APIs, and remove API-enabled permissions from guest user profiles to reduce their exposure.
ShinyHunters’ History And Prior Incidents
ShinyHunters is a black-hat hacker group that first emerged around 2019 and has since been linked to a long list of breaches and data thefts across consumer and enterprise sectors.
According to public reports, the group often engages in “pay or leak” tactics, threatening to release stolen data unless a ransom is paid.
In 2024, the group was linked to a breach of Snowflake customer databases. Other incidents include breaches at consumer platforms and universities, ranging from phishing and social engineering to exploiting third-party integrations and misconfigurations in SaaS environments.
Why Misconfiguration Matters
The Salesforce incident underscores a wider truth in enterprise cybersecurity: misconfiguration remains one of the most common and dangerous attack vectors.
SaaS platforms like Salesforce provide extensive functionality and security controls, but when customers misconfigure permissions particularly for public-facing features — they can unintentionally expose sensitive data to attackers.
In the Salesforce context, Experience Cloud sites are designed for flexibility, enabling companies to create portals for customers, partners and the public.
These sites rely on a dedicated guest user profile to serve non-authenticated users with public content. But if the permissions associated with guest profiles are too broad, they can allow access to protected CRM objects.
Industry reporting on both this incident and previous campaigns suggests that attackers often chain such misconfigurations with reconnaissance, scanning and automated exploitation to drive large-scale data theft with minimal effort.
Even highly reputed Fortune 500 companies can be tripped up by simple oversights in configuration.
What Organisations Can Do Now
In response to the campaign, Salesforce has recommended that customers immediately review guest user permissions across all Experience Cloud sites and enforce least-privilege access to all objects and fields.
Organisations should ensure default external access is set to private for all objects to prevent unauthenticated access, and guest user access to public APIs should be disabled.
API-enabled permissions should be removed from guest profiles.
Companies are also encouraged to monitor system logs for unusual activity or large-scale scanning attempts, and to implement ongoing security reviews and employee training to reduce the likelihood of social engineering and misconfiguration-related exposures.
Looking Ahead
As the SaaS landscape continues to evolve, incidents like the current Salesforce campaign highlight the dual nature of cloud security: robust platforms can still be undermined by customer misconfigurations and human error.
Enterprises that treat cloud security as a one-time checklist rather than an ongoing process risk exposing sensitive data and eroding customer trust.
Regulatory scrutiny, market pressure and rising reputational risk mean that incidents of this scale are will continue to have long-term implications for cloud security governance, access control and incident response.
UC Today has contacted Salesforce for comment.Â
