ShinyHunters Claims 100 High-Profile Victims in Salesforce Data Heist Using Modified Mandiant Tool to Exploit Experience Cloud Misconfigurations

The ShinyHunters extortion gang claims to have stolen data from approximately 100 high-profile companies — including Salesforce itself, Snowflake, Okta, LastPass, Sony, and AMD — in a months-long campaign exploiting misconfigured Salesforce Experience Cloud sites using a weaponized version of an open-source tool originally developed by Mandiant for defensive purposes.

Salesforce confirmed the activity on Saturday, warning that a "known threat actor group" is actively scanning for and breaking into public-facing Experience Cloud sites, though it declined to name ShinyHunters or confirm the number of affected customers.

"This issue is not due to any vulnerability inherent to the Salesforce platform, but rather Experience Cloud sites where a guest user profile has been inadvertently configured with overly broad permissions," Salesforce stated.

Defensive Tool Turned Offensive

The attack hinges on AuraInspector, an open-source tool released by Mandiant in January 2026 to help Salesforce administrators detect misconfigurations within the Salesforce Aura framework that could expose sensitive data. The tool probes the /s/sfsites/aura API endpoint to identify vulnerable objects.

ShinyHunters modified the tool for offensive use, telling The Register: "I fixed Google's broken code so it can work in my use case to identify vulnerable targets, subsequently I made an entirely different tool to bypass the Guest User 2,000 limit and exfiltrate all available Salesforce Object records on a vulnerable target."

The modified version goes beyond scanning — it actively exploits overly permissive guest user settings to extract CRM data at scale, bypassing Salesforce's default 2,000-record limit for guest user queries.

Mandiant Consulting CTO Charles Carmakal confirmed awareness of the abuse, stating Mandiant is working with Salesforce to provide detection rules and telemetry.

How the Attack Works

Salesforce Experience Cloud sites serve as portals into CRM databases, allowing customers, partners, and employees to interact with data. Each publicly accessible site uses a guest user profile that allows unauthenticated users to view public pages, FAQs, or submit forms.

The attack chain:

1. Mass scanning — ShinyHunters uses the modified AuraInspector to scan public-facing Experience Cloud sites for misconfigured guest user profiles
2. Permission exploitation — where guest profiles have been configured with excessive permissions, attackers can directly query Salesforce CRM objects without authentication
3. Data exfiltration — using their custom bypass tool, attackers extract all available object records beyond the standard 2,000-record guest user limit
4. Follow-on attacks — stolen data including names and phone numbers feeds ShinyHunters' specialty: social engineering and voice phishing campaigns

Scope and Claimed Victims

ShinyHunters claims to have "stolen data from almost 400 websites and about 100 essential high-profile companies" with reconnaissance and exploitation running for several months. Named victims include:

• Salesforce
• Snowflake
• Okta
• LastPass
• Sony
• AMD

LastPass confirmed awareness of the campaign and said it is "actively working with contacts at Salesforce to investigate," while stating there is no evidence linking it to a separate recent phishing campaign. Other named companies have not yet responded.

This is the latest in a sustained ShinyHunters campaign against Salesforce customers that has claimed 200+ victims over the past year, following the group's high-profile 2024 Snowflake customer database intrusions.

Defender Recommendations

• Audit guest user permissions immediately — enforce least privilege, restricting access to the absolute minimum objects and fields required
• Set default external access to "Private" — navigate to Setup → Sharing Settings and ensure all objects default to private for external users
• Disable guest API access — uncheck "Allow guest users to access public APIs" in site settings
• Remove API permissions from guest profiles — uncheck "API Enabled" in the guest user profile's System Permissions
• Monitor for AuraInspector scanning — review logs for automated probing of the /s/sfsites/aura endpoint from external IPs
• Review object-level permissions — ensure no CRM objects containing PII, financial data, or internal records are accessible to guest user profiles
• Prepare for social engineering follow-up — any organization whose Salesforce data may have been exposed should warn employees about targeted vishing and phishing using the stolen information