Salesforce Customers Targeted in Data Theft Campaign via Misconfigured Experience Cloud Sites
Salesforce has issued a warning about hackers exploiting misconfigured Experience Cloud platforms, which inadvertently grant guest users excessive data access. The ShinyHunters extortion gang claims responsibility, alleging they’ve compromised 300–400 organizations, including around 100 high-profile cybersecurity firms, since September 2025.
Attackers are targeting the /s/sfsites/aura API endpoint, leveraging a modified version of AuraInspector an open-source auditing tool developed by Mandiant to scan for misconfigured instances. Salesforce emphasizes that the issue stems from customer-configured guest user permissions, not a platform vulnerability, and advises organizations to audit and restrict guest access to the principle of least privilege.
Key mitigation steps include:
- Disabling guest access to public APIs and removing the API Enabled setting from guest profiles.
- Setting org-wide defaults to Private for external access.
- Disabling Portal User Visibility and Site User Visibility to prevent user enumeration.
- Reviewing Aura Event Monitoring logs for suspicious activity.
ShinyHunters claims to have bypassed Salesforce’s 2,000-record query limit using a sortBy parameter trick, though Salesforce reportedly patched this over the weekend. The group also alleges discovering a new method to extract data from properly configured instances, though this remains unconfirmed. Their custom tool, "RapeForceV2.01.39," mimics the naming convention of their previous "RapeFlake" tool used in Snowflake attacks.
Salesforce maintains that no platform vulnerability exists, but Mandiant confirms attackers are misusing AuraInspector for reconnaissance. The company recommends designating a Security Contact for rapid notifications and monitoring for unusual access patterns. ShinyHunters suggests disabling Public Access as a potential defense, though this would convert sites into private portals.
Enterprise Security Tech cybersecurity rating report: https://www.rankiteo.com/company/enterprise-security-tech
Salesforce Experience Cloud cybersecurity rating report: https://www.rankiteo.com/company/salesforce-experience-cloud
"id": "ENTSAL1773088371",
"linkid": "enterprise-security-tech, salesforce-experience-cloud",
"type": "Breach",
"date": "9/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': '300–400 organizations, ~100 '
'cybersecurity firms',
'industry': ['Cybersecurity', 'Other'],
'type': 'Organization'}],
'attack_vector': 'Misconfigured Experience Cloud Sites',
'data_breach': {'data_exfiltration': 'Alleged',
'personally_identifiable_information': 'Potential'},
'date_detected': '2025-09',
'description': 'Salesforce has issued a warning about hackers exploiting '
'misconfigured Experience Cloud platforms, which inadvertently '
'grant guest users excessive data access. The ShinyHunters '
'extortion gang claims responsibility, alleging they’ve '
'compromised 300–400 organizations, including around 100 '
'high-profile cybersecurity firms, since September 2025. '
'Attackers are targeting the /s/sfsites/aura API endpoint, '
'leveraging a modified version of AuraInspector, an '
'open-source auditing tool developed by Mandiant, to scan for '
'misconfigured instances.',
'impact': {'brand_reputation_impact': 'Potential',
'data_compromised': 'Yes',
'identity_theft_risk': 'Potential',
'systems_affected': 'Salesforce Experience Cloud platforms'},
'initial_access_broker': {'entry_point': 'Misconfigured Experience Cloud '
'Sites',
'high_value_targets': 'Cybersecurity firms'},
'investigation_status': 'Ongoing',
'motivation': 'Extortion, Data Theft',
'post_incident_analysis': {'corrective_actions': ['Restricting guest access '
'to the principle of least '
'privilege',
'Disabling guest access to '
'public APIs',
'Patching the sortBy '
'parameter trick'],
'root_causes': 'Misconfigured guest user '
'permissions, excessive data access '
'for guest users'},
'ransomware': {'data_exfiltration': 'Alleged'},
'recommendations': ['Audit and restrict guest access to the principle of '
'least privilege',
'Disable guest access to public APIs and remove the API '
'Enabled setting from guest profiles',
'Set org-wide defaults to Private for external access',
'Disable Portal User Visibility and Site User Visibility',
'Review Aura Event Monitoring logs for suspicious '
'activity',
'Designate a Security Contact for rapid notifications',
'Monitor for unusual access patterns',
'Consider disabling Public Access to convert sites into '
'private portals'],
'references': [{'source': 'Salesforce Advisory'},
{'source': 'Mandiant'},
{'source': 'ShinyHunters Claims'}],
'response': {'containment_measures': ['Disabling guest access to public APIs',
'Removing the API Enabled setting from '
'guest profiles',
'Setting org-wide defaults to Private '
'for external access',
'Disabling Portal User Visibility and '
'Site User Visibility',
'Reviewing Aura Event Monitoring logs '
'for suspicious activity'],
'enhanced_monitoring': 'Reviewing Aura Event Monitoring logs',
'remediation_measures': ['Auditing and restricting guest access '
'to the principle of least privilege',
'Designating a Security Contact for '
'rapid notifications',
'Monitoring for unusual access '
'patterns']},
'threat_actor': 'ShinyHunters',
'title': 'Salesforce Customers Targeted in Data Theft Campaign via '
'Misconfigured Experience Cloud Sites',
'type': 'Data Theft',
'vulnerability_exploited': 'Excessive guest user permissions, misconfigured '
'guest access to public APIs'}