Salesforce has issued a warning to its customers regarding a new campaign by the notorious ShinyHunters cybercrime group, which involves data theft and extortion.

Since mid-2025, ShinyHunters has targeted the Salesforce instances of numerous organizations, employing social engineering techniques and other deceptive tactics.

Last year's incidents led to the compromise and leak of millions of data records. Salesforce has stated that these breaches resulted from phishing attacks, misuse of third-party integrations, or misconfigurations, rather than vulnerabilities in its own systems.

In a blog post dated March 7, Salesforce cautioned its customers about ongoing attacks that exploit misconfigurations and publicly accessible sites. “We have identified a campaign where malicious actors are taking advantage of overly permissive Experience Cloud guest user configurations to access more data than intended by the organizations,” Salesforce noted.

The company reassured customers, stating, “It is important to note that Salesforce remains secure, and this issue is not due to any inherent vulnerability in our platform. Our investigations confirm that this activity is related to a customer-configured guest user setting, not a security flaw in the platform.”

Salesforce highlighted that the threat actor has misused a modified version of an open-source tool known as Aura Inspector, which was originally developed by Mandiant for auditing Salesforce Aura instances and identifying data exposures.

“While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints exposed by these sites (specifically the /s/sfsites/aura endpoint), the actor has created a custom version of the tool capable of extracting data, exploiting the overly permissive guest user settings,” Salesforce explained.

Although Salesforce has not specifically named the threat actor, the ShinyHunters group has claimed responsibility for the attack, asserting that it has targeted “several hundreds of companies” in what it refers to as the ‘Salesforce Aura Campaign’.

This cybercrime group has threatened to release sensitive information stolen from companies’ Salesforce instances if their extortion demands are not met. The situation highlights the significant risks associated with misconfigured security settings, especially in cloud environments.

Organizations using Salesforce are urged to review their configurations and ensure that guest user settings are appropriately restricted to mitigate the risk of unauthorized access to sensitive data.

In light of these developments, businesses are encouraged to implement comprehensive security measures, including employee training on phishing awareness and regular security audits to detect and rectify any misconfigurations.

Related News:

• Wynn Resorts Confirms Data Breach After Hackers Remove Information From Leak Site
• ShinyHunters-Branded Extortion Activity Expands, Escalates
• Hackers Extorting Salesforce After Stealing Data From Numerous Customers

Source: SecurityWeek News