Salesforce has alerted its customers about a significant data breach campaign orchestrated by the cybercriminal group ShinyHunters, known for its involvement in data theft and extortion. The group has reportedly launched a new effort targeting Salesforce, leveraging social engineering and other sophisticated tactics since mid-2025.
Details of the Data Breach
The recent wave of attacks has compromised millions of data records. Salesforce clarified that the breaches stemmed from phishing schemes, misuse of third-party integrations, and configuration errors, rather than any inherent vulnerabilities in their systems. In a blog post published on March 7, Salesforce highlighted the attacks exploiting misconfigurations or publicly accessible sites.
The company stated, “We have identified a campaign in which malicious actors are exploiting customers’ overly permissive Experience Cloud guest user configurations to potentially access more data than intended.” They emphasized that the security of Salesforce’s platform remains intact, attributing the issue to customer-configured settings.
Technical Exploits and Tools
The threat actors have utilized a modified version of an open-source tool, Aura Inspector, originally developed by Mandiant. This tool was intended for auditing Salesforce Aura instances and identifying potential data exposures. However, ShinyHunters adapted it to not only identify vulnerabilities but also extract data by exploiting lax guest user settings.
Salesforce explained that while the original tool could only probe API endpoints to identify vulnerable objects, the custom version developed by the attackers could extract data, highlighting the risks of overly permissive configurations.
Implications and Future Threats
Although Salesforce did not specifically name the threat actor, ShinyHunters has claimed responsibility for what they call the ‘Salesforce Aura Campaign.’ The group has threatened to release the stolen data should the targeted companies refuse to meet their extortion demands. Reports indicate that hundreds of companies have been affected by this campaign.
As companies grapple with the implications of these breaches, the need for stringent security measures and configuration reviews becomes paramount. Salesforce continues its investigation and urges customers to review and adjust their security settings to prevent further exploitation.
Looking ahead, organizations must remain vigilant against such cyber threats, with a focus on securing their platforms and training staff to recognize and thwart social engineering tactics.
