ShinyHunters claims it's behind ongoing Salesforce Aura data theft assault, warns more attacks to come

Infamous ransomware operators ShinyHunters have claimed they are behind the ongoing Salesforce Aura data theft assault, and have warned that more attacks are to come. Starting in September 2025, the crooks spent several months scanning public-facing Salesforce Experience Cloud instances, a platform that lets organizations build web portals connected directly to their Salesforce CRM data.For the scanning, they used a modified version of AuraInspector, a misconfiguration detection tool originally developed by Mandiant. The tool probed exposed API endpoints to identify portals where guest user profiles had excessive permissions.

Research preview

After identifying vulnerable sites, the attackers used a separate, unnamed custom tool, to bypass the guest user record limits and extract Salesforce CRM data without authentication. The stolen information, including names and phone numbers, was then used for follow-on social engineering and voice phishing campaigns.Speaking to The Register, a spokesperson for the hacking collective confirmed that roughly 100 high-profile organizations were affected by this campaign:"Have stolen data from almost 400 websites and about 100 essential high profile companies Snowflake, Okta, Lastpass, Salesforce itself, Sony, AMD, and a lot more," the person allegedly said. Recon and exploitation “has been going on for several months now," they added. This past weekend, Salesforce warned its customers about a “known threat actor group” that was actively scanning public-facing Experience Cloud sites. It did not want to say how many companies fell victim, or how much data was stolen, but it did say that the crooks were not exploiting a vulnerability: "This issue is not due to any vulnerability inherent to the Salesforce platform, but rather Experience Cloud sites where a guest user profile has been inadvertently configured with overly broad permissions," a representative said. However, the group apparently told CyberInsider it was indeed exploiting a flaw in the product. “However, they have decided not to disclose any details about the flaw until the exploitation phase is over,” the publication claims. So far, the companies ShinyHunters mentioned are keeping quiet, with the exception of LastPass, which said it was looking into the claims.