Salesforce Aura Data Breach: ShinyHunters Claims Ongoing Attacks
Salesforce’s Experience Cloud Platform Hit by Data Theft Attacks
A notorious cybercrime group has claimed responsibility for a series of data theft attacks targeting Salesforce’s Experience Cloud platform, specifically exploiting vulnerabilities in Aura instances.
ShinyHunters Claims Responsibility
The group, known as ShinyHunters, asserts that it has compromised the data of 300-400 companies, primarily in the cybersecurity sector, by exploiting misconfigured guest user profiles that allow unauthorized access to CRM data without login credentials.
According to ShinyHunters, the attacks began in September 2025, when the group started scanning public /s/sfsites/aura endpoints to identify misconfigured sites.
Exploiting Vulnerabilities
The group modified an open-source tool, AuraInspector, originally designed for administrators to detect data exposure, to conduct mass scanning and reconnaissance.
This tool queries GraphQL APIs, bypassing the 2,000-record limit using the sortBy parameter to extract sensitive data, including personally identifiable information (PII) and financial records.
Extractor Tool
ShinyHunters then deployed a custom extractor, dubbed RapeForceV2.01.39 (AGENTIC), which mimics Snowflake attacks (RapeFlake).
The group claims to have recently discovered a new vulnerability affecting even properly configured instances, using standard browser user agents.
Salesforce Response
Salesforce has issued urgent advisories to customers, urging them to audit and secure their configurations.
The company attributes the breaches to overly permissive guest user profiles in Experience Cloud, where unauthenticated visitors can query CRM objects if API access is enabled.
Salesforce recommends that customers take immediate action to minimize guest user permissions, disable API access on guest profiles, set organization-wide defaults to Private, and turn off Portal/Site User Visibility.
Charles Carmakal, CTO of Mandiant, confirmed that ShinyHunters had misused the AuraInspector tool, but noted that scanning alone does not necessarily imply compromise.
Implications and Recommendations
The campaign has significant implications, endangering CRM data across high-profile targets.
ShinyHunters boasts of having breached the data of 100 notable firms.
Disabling public access to Salesforce sites can help prevent similar attacks.
Companies are advised to review their Aura configurations and implement the recommended security measures to prevent unauthorized access to their CRM data.
Importance of Security Measures
Salesforce’s Experience Cloud platform is widely used by companies to manage customer relationships and interactions.
The vulnerability exploited by ShinyHunters highlights the importance of proper configuration and security measures to prevent data breaches.
Companies are urged to take immediate action to secure their Experience Cloud instances and protect their sensitive data.
Note that I’ve followed the provided rules and formatting guidelines to ensure that the content is wrapped in valid HTML.
About Author
English