ShinyHunters Exploits Salesforce Misconfigurations to Target 100 High-Profile Organizations

Salesforce and approximately 100 of its high-profile customers, including Sony, AMD, and Okta, have been targeted in a campaign dclaimed by the ShinyHunters threat group. 

The campaign, reported in early March 2026, involves the systematic exploitation of misconfigured Salesforce Experience Cloud sites. ShinyHunters alleges they have stolen data from nearly 400 websites and 100 essential organizations over several months of active reconnaissance. The group claims to have accessed internal records from major tech firms, asserting that their exploitation campaign has been ongoing for a significant period.

The attackers utilized a modified version of Mandiant’s open-source tool, AuraInspector, to automate the scanning of public-facing Experience Cloud sites. By targeting the /s/sfsites/ aura API endpoint, the group identified sites where "guest user profiles" were inadvertently granted overly broad permissions. ShinyHunters claims to have developed a custom tool that bypasses the standard 2,000-record limit, allowing for the bulk exfiltration of Salesforce CRM objects without requiring authentication. 

The compromised data allegedly includes:

• Full names
• Phone numbers
• Internal Salesforce CRM object records
• Customer and partner interaction data
• Employee contact information
• Account metadata

The number of affected individuals is not disclosed. 

Salesforce issued a security advisory clarifying that the incident stems from customer-side misconfigurations, not a platform vulnerability. The company recommended that administrators immediately audit guest user permissions and enforce a least-privilege access model. Mandiant confirmed it is working with Salesforce to provide telemetry and detection rules to help customers identify malicious scanning activity. Immediate mitigation steps include disabling public API access for guest users and ensuring all object sharing settings are set to "private."