Salesforce has issued an urgent warning to its customers regarding a new data theft campaign led by the infamous ShinyHunters cybercrime group.

Since mid-2025, ShinyHunters has been actively targeting Salesforce instances belonging to various organizations, employing social engineering tactics and other methods to breach security.

Last year, the group disclosed several incidents that resulted in the compromise and leak of millions of data records.

According to Salesforce, these data breaches have predominantly stemmed from phishing attacks, misuse of third-party integrations, and misconfigurations rather than vulnerabilities inherent to Salesforce products or systems.

In a blog post dated March 7, Salesforce cautioned customers about the ongoing threat posed by these attacks, which exploit misconfigurations and publicly accessible sites.

Salesforce stated, “We have identified a campaign in which malicious actors are exploiting customers’ overly permissive Experience Cloud guest user configurations to potentially access more data than targeted organizations intended.”

The company reassured users that its platform remains secure, emphasizing that the issues stem from customer-configured guest user settings rather than any flaws within Salesforce's security framework. “Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw,” the company added.

Salesforce noted that the threat actor has leveraged a modified version of an open-source tool known as Aura Inspector, originally developed by Mandiant for auditing Salesforce Aura instances and identifying data exposures.

“While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings,” Salesforce explained.

Although Salesforce has not explicitly named the threat actor, the ShinyHunters group has claimed responsibility for the attack, asserting that it has targeted “several hundreds of companies” as part of what they refer to as the ‘Salesforce Aura Campaign.’

The cybercrime gang has issued threats to release sensitive information stolen from the Salesforce instances of various companies unless their extortion demands are met.

In related news, Wynn Resorts has confirmed a data breach after hackers removed information from their leak site.

Recent reports indicate that ShinyHunters' extortion activities are expanding and escalating, posing a significant risk to organizations utilizing Salesforce’s services.

As the cybersecurity landscape continues to evolve, experts are advising organizations to review their security configurations and be vigilant against potential phishing attempts and unauthorized access attempts.

Additional Context: As cyber threats become increasingly sophisticated, it is essential for companies to ensure that their systems are not only robust against external attacks but also properly configured to mitigate risks stemming from internal misconfigurations.

Source: SecurityWeek News