Salesforce has issued another warning to customers as the notorious ShinyHunters cybercrime group has announced a new campaign involving data theft and extortion.
Since mid-2025, ShinyHunters has been targeting the Salesforce instances of many organizations using social engineering and other tactics.
The incidents disclosed last year resulted in millions of data records being compromised and leaked by ShinyHunters.
According to Salesforce, all the data breaches were the result of phishing, abuse of third-party integrations, or misconfigurations rather than vulnerabilities in its products or systems.
In a blog post published on March 7, Salesforce warned customers about ongoing attacks leveraging misconfigurations or publicly accessible sites.
“We have identified a campaign in which malicious actors are exploiting customers’ overly permissive Experience Cloud guest user configurations to potentially access more data than targeted organizations intended,” Salesforce said.
“It is important to note that Salesforce remains secure, and this issue is not due to any vulnerability inherent to our platform. Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw,” it added.
The company noted that the threat actor has abused a modified version of an open source tool called Aura Inspector, which Mandiant developed for auditing Salesforce Aura instances and identifying data exposures.
“While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings,” Salesforce explained.
While the CRM vendor has not named the threat actor, the ShinyHunters group took credit for the attack, claiming to have targeted “several hundreds of companies” as part of what it calls the ‘Salesforce Aura Campaign’.
The cybercrime gang has threatened to release information stolen from companies’ Salesforce instances if they refuse to comply with their extortion demands.
Related: Wynn Resorts Confirms Data Breach After Hackers Remove It From Leak Site
Related: ShinyHunters-Branded Extortion Activity Expands, Escalates
Related: Hackers Extorting Salesforce After Stealing Data From Dozens of Customers
