A renewed cyberattack campaign on Salesforce by the cybercrime group ShinyHunters highlights a key consideration for security teams. Simple configuration mistakes can expose enterprise data—at scale.
As this recent campaign unfolded, Salesforce warned customers about attackers abusing guest-user configurations for Experience Cloud—a platform for creating branded, CRM-connected websites, portals, and apps for customers, partners, and employees. Any overly permissive configurations could allow attackers to gain unintended access to sensitive information.
“Salesforce warned that a known threat actor was mass-scanning and extracting data using a modified version of Mandiant's open-source AuraInspector tool,” explained Jason Soroko, Senior Fellow at Sectigo. “ShinyHunters subsequently took to their dark web extortion portal to claim responsibility for this Salesforce Aura Campaign. Organizations should understand that this is not an inherent platform vulnerability but the exploitation of overly-permissive guest user profiles on publicly accessible Experience Cloud sites.”
Identities, Integrations, and Configurations Offer Prime Targets
According to Salesforce, the incidents are not the result of flaws in the Experience Cloud platform. The breaches have occurred, rather, because of misconfigurations, phishing, and insecure third-party integrations that attackers exploited to expand their reach. ShinyHunters then used stolen contact information to launch follow-on intrusions and extortion attempts.
The campaign thus illustrates a growing pattern in modern cyberattacks: threat actors increasingly combine technical reconnaissance with social engineering to turn small missteps into large-scale data breaches.
The situation also underscores a broader shift in the cybersecurity landscape. Rather than focusing solely on breaking software defenses, attackers target the gray areas of enterprise security—identity systems, integrations, and configuration settings.
ShinyHunters Claims Hundreds of Victims
ShinyHunters, which is known for large-scale data theft and leak-site extortion tactics, has posted screenshots suggesting its campaign breached approximately 400 websites and 100 high-profile organizations. Here’s a breakdown of how the attack chain progressed:
- Misconfigured Guest Access—Experience Cloud guest-user settings allowed broader access than intended.
- Data Harvesting—Attackers obtained contact data and internal information from exposed systems.
- Social Engineering—Attackers used the stolen data to craft convincing phishing campaigns.
- Network Intrusion and Data Theft—Follow-on attacks led to deeper access and potential data exfiltration.
“While the attack occurs in a SaaS platform, the methodology closely mirrors traditional lateral movement inside enterprise networks,” pointed out Louis Eichenbaum, the Federal CTO at ColorTokens. “Adversaries can identify accessible resources, traverse relationships between data objects, and progressively expand access until valuable information can be extracted.”
Cloud Platform Management Plays Critical Security Role
Given the renewed ShinyHunters campaign, as cloud platforms become the backbone of digital operations, organizations must recognize that security responsibility extends beyond vendors. They must also consider how they deploy and manage their cloud platforms.
“The activity being reported centers on how guest user access is configured in public-facing Experience Cloud environments,” said Shane Barney, Chief Information Security Officer at Keeper Security. “When a guest profile is granted broader permissions than necessary, it can allow unauthenticated users to access data that was never intended to be public. That is a configuration exposure rather than a flaw in the underlying platform.”
“Platform ecosystems are notoriously hard to secure because the way they’re compromised is not easily scanned for using automation,” added Trey Ford, Chief Strategy and Trust Officer at Bugcrowd. “This is specifically because these application stacks use non-human identities and have deep integrations with other software and data platforms. Trust relationships, and long-lived and poorly monitored credentials grant access to treasure troves of systems and data.”
Guidance for Salesforce Customers
Cloud platforms are secure by design, but the configurations determine the real-world risk. That means IT teams must make identity and access management central to their cybersecurity defense strategies. They should also treat configuration governance as part of their security posture.
As for the Experience Cloud platform, Salesforce recommends several actions:
- Review guest-user permissions.
- Restrict public access to sensitive data.
- Audit integrations and API connections.
- Monitor unusual access activity.
“Security teams should consider two levels of protection right now,” said Vincenzo Iozzo, CEO and Co-founder at SlashID. “The first and most impactful step is to verify and disable API access on guest user profiles across all of your Salesforce tenants. If that's not possible (because the site's functionality depends on it), the second option is to minimize the access guest profiles have to Salesforce Objects—particularly sensitive ones like cases, which can contain secrets or other sensitive data that attackers can use to move laterally.”
The Evolution of Modern Cybercrime
The ShinyHunters campaign reflects a wider trend toward exploiting operational gaps rather than technical flaws. As threat actors blend technical exploits with social engineering, we will see the rise of identity-based and access-based attacks rather than pure software vulnerabilities.
These attacks can make it possible for threat actors to steal contact data, such as names, emails, phone numbers, and credentials. This, in turn, facilitates scaling attacks by enabling targeted phishing, AI-driven scams, and automated account takeovers.
To take on this challenge, vendors and their customers must share security responsibility in the cloud. And as SaaS adoption grows, configuration hygiene becomes a critical frontline defense.
This is particularly true in the cloud, where platforms are increasingly more complex and include third-party integrations that expand attack surfaces. As a result, future security measures will depend heavily on how well organizations configure their access controls.
