ShinyHunters Exploits Salesforce Experience Cloud Misconfigurations in Large-Scale Data Theft
The hacking group ShinyHunters has claimed responsibility for stealing data from approximately 100 major companies by exploiting misconfigurations in Salesforce’s Experience Cloud platform. According to reports, the group accessed information from around 400 websites and organizations, including high-profile targets like Snowflake, Okta, LastPass, Sony, AMD, and Salesforce itself.
Salesforce confirmed that a "known threat actor group" is actively scanning public-facing Experience Cloud sites portals used for customer, partner, and employee interactions due to overly permissive guest user configurations. The company clarified that the issue stems from customer-defined guest user profiles, not a vulnerability in Salesforce’s core platform.
How the Attack Works
Experience Cloud sites can be configured to allow guest users (unauthenticated visitors) to view public pages and submit forms. However, if these guest profiles are granted excessive permissions, attackers can query and extract CRM data that was never intended to be public.
ShinyHunters reportedly used a modified version of AuraInspector, an open-source tool originally designed by Mandiant to detect misconfigurations in Salesforce’s Aura endpoints. The altered tool enables mass scanning of public-facing sites, extracting data when guest permissions are too broad.
ShinyHunters’ Track Record
Active since 2019, ShinyHunters has been linked to numerous high-profile breaches, often employing "pay or leak" tactics demanding ransoms to prevent data exposure. Recent incidents include the 2024 Snowflake breach, as well as attacks on universities and consumer platforms, leveraging phishing, social engineering, and SaaS misconfigurations.
The Broader Risk of Misconfiguration
This incident highlights a persistent cybersecurity challenge: misconfiguration remains a leading attack vector. While SaaS platforms like Salesforce offer robust security controls, human error in permission settings can expose sensitive data. Experience Cloud’s flexibility designed for public-facing portals becomes a liability when guest user profiles are improperly configured, allowing unauthorized access to CRM records.
Salesforce’s Response & Mitigation Steps
Salesforce has urged customers to:
- Audit guest user permissions across all Experience Cloud sites.
- Set default external access to "private" to block unauthenticated queries.
- Disable guest access to public APIs and remove API-enabled permissions from guest profiles.
- Monitor logs for unusual activity, such as large-scale scanning attempts.
The incident underscores the need for ongoing security reviews rather than one-time configurations, as cloud environments evolve and threat actors refine their tactics. With regulatory scrutiny and reputational risks escalating, enterprises must treat access control and governance as continuous priorities.
Source: https://www.uctoday.com/unified-communications/salesforce-customer-data-breach-shinyhunters/
Salesforce Experience Cloud cybersecurity rating report: https://www.rankiteo.com/company/salesforce-experience-cloud
LastPass cybersecurity rating report: https://www.rankiteo.com/company/lastpass
Amdocs cybersecurity rating report: https://www.rankiteo.com/company/amdocs
Snowflake cybersecurity rating report: https://www.rankiteo.com/company/snowflake-computing
Sony cybersecurity rating report: https://www.rankiteo.com/company/sony
Okta cybersecurity rating report: https://www.rankiteo.com/company/okta-inc-
"id": "SALLASAMDSNOSONOKT1773153462",
"linkid": "salesforce-experience-cloud, lastpass, amdocs, snowflake-computing, sony, okta-inc-",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Data Cloud',
'name': 'Snowflake',
'type': 'Company'},
{'industry': 'Identity and Access Management',
'name': 'Okta',
'type': 'Company'},
{'industry': 'Password Management',
'name': 'LastPass',
'type': 'Company'},
{'industry': 'Technology, Entertainment',
'name': 'Sony',
'type': 'Company'},
{'industry': 'Semiconductors',
'name': 'AMD',
'type': 'Company'},
{'industry': 'Customer Relationship Management (CRM)',
'name': 'Salesforce',
'type': 'Company'},
{'name': 'Approximately 100 other major companies',
'type': 'Companies'}],
'attack_vector': 'Misconfiguration Exploitation',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Likely',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information likely included)',
'type_of_data_compromised': 'CRM data'},
'description': 'The hacking group ShinyHunters has claimed responsibility for '
'stealing data from approximately 100 major companies by '
'exploiting misconfigurations in Salesforce’s Experience Cloud '
'platform. The group accessed information from around 400 '
'websites and organizations, including high-profile targets '
'like Snowflake, Okta, LastPass, Sony, AMD, and Salesforce '
'itself. The issue stems from overly permissive guest user '
'configurations in customer-defined guest user profiles, not a '
'vulnerability in Salesforce’s core platform.',
'impact': {'brand_reputation_impact': 'High',
'data_compromised': 'CRM data from approximately 400 websites and '
'organizations',
'identity_theft_risk': 'High',
'systems_affected': 'Salesforce Experience Cloud sites with '
'misconfigured guest user permissions'},
'initial_access_broker': {'entry_point': 'Misconfigured Salesforce Experience '
'Cloud guest user profiles',
'high_value_targets': 'CRM data from major '
'companies'},
'lessons_learned': 'Misconfiguration remains a leading attack vector. '
'Enterprises must treat access control and governance as '
'continuous priorities, especially in cloud environments '
'like Salesforce Experience Cloud.',
'motivation': ['Data Theft', 'Extortion (Pay or Leak Tactics)'],
'post_incident_analysis': {'corrective_actions': ['Audit and restrict guest '
'user permissions',
'Disable unnecessary API '
'access for guest users',
'Implement continuous '
'monitoring for unusual '
'activity'],
'root_causes': 'Overly permissive guest user '
'configurations in Salesforce '
'Experience Cloud'},
'recommendations': ['Audit guest user permissions across all Experience Cloud '
'sites',
"Set default external access to 'private' to block "
'unauthenticated queries',
'Disable guest access to public APIs and remove '
'API-enabled permissions from guest profiles',
'Monitor logs for unusual activity, such as large-scale '
'scanning attempts',
'Conduct ongoing security reviews rather than one-time '
'configurations'],
'references': [{'source': 'Salesforce Advisory'},
{'source': 'ShinyHunters Activity Reports'}],
'response': {'containment_measures': ['Audit guest user permissions across '
'all Experience Cloud sites',
'Set default external access to '
"'private' to block unauthenticated "
'queries',
'Disable guest access to public APIs '
'and remove API-enabled permissions '
'from guest profiles',
'Monitor logs for unusual activity'],
'enhanced_monitoring': 'Monitor logs for unusual activity, such '
'as large-scale scanning attempts'},
'threat_actor': 'ShinyHunters',
'title': 'ShinyHunters Exploits Salesforce Experience Cloud Misconfigurations '
'in Large-Scale Data Theft',
'type': 'Data Theft',
'vulnerability_exploited': 'Overly permissive guest user configurations in '
'Salesforce Experience Cloud'}