ShinyHunters Breach Hundreds of Companies via Misconfigured Salesforce Experience Cloud

Summary

The cybercrime group ShinyHunters has claimed responsibility for a mass data theft campaign targeting Salesforce customers through misconfigured public-facing Experience Cloud sites. The group asserts it compromised approximately 100 high-profile companies, with security researchers estimating the true number of affected organizations could be between 300 and 400.

The attack exploited “overly permissive guest user configurations” — not a vulnerability in Salesforce’s core platform itself. ShinyHunters used a modified version of Aura Inspector, an open-source tool originally developed by Mandiant, to systematically scan for and exploit these misconfigurations. The campaign reportedly began as early as September 2025, with activity ramping up significantly in January 2026 after the modified tool was released.

Stolen data, primarily names and phone numbers, was subsequently leveraged for social engineering and vishing campaigns. Salesforce has issued warnings advising customers to review guest user permissions and implement least-privilege access models.

Source

Covered by SecurityWeek, CyberScoop, and Google Threat Intelligence.

Commentary

This is a masterclass in how configuration sprawl creates systemic risk. Salesforce isn’t “breached” — hundreds of individual customers misconfigured their own instances. But when a single tool can automate the exploitation of those misconfigurations at scale, the distinction between a platform vulnerability and a configuration epidemic becomes academic.

ShinyHunters continues to demonstrate that SaaS platforms are rich hunting grounds. The group doesn’t need zero-days when default configurations and overly permissive guest access hand them the keys. For any organization running Salesforce Experience Cloud, the action item is clear: audit your guest user permissions today. If you haven’t already, you’re gambling that ShinyHunters hasn’t already found you.