Ethical Hacking News
In recent months, ShinyHunters has been actively exploiting a bug in the Salesforce Aura platform to steal sensitive data from misconfigured Experience Cloud instances. This new threat vector has resulted in multiple high-profile companies being compromised, with estimates suggesting that over 300 organizations have fallen victim to these attacks. In this article, we will explore the specifics of the attack, the measures being taken by Salesforce to address it, and provide recommendations for organizations using Experience Cloud to defend against these attacks.
The ShinyHunters extortion gang has been exploiting a bug in the Salesforce Aura platform to steal sensitive data from misconfigured Experience Cloud instances. The malicious activities began in September 2025, targeting companies with insecure Experience Cloud access control configurations for guest users. A recently released open-source auditing tool called AuraInspector helps identify access control misconfigurations within the Salesforce Aura framework. ShinyHunters modified the code to bypass a 2,000 record query restriction and steal data from Aura instances even when properly configured. Salesforce has issued a warning to its customers to defend against these attacks by auditing guest user permissions and taking other measures. ShinyHunters claims responsibility for the data theft attacks, compromising around 100 high-profile companies and possibly up to 400 organizations in total.
Salesforce is taking a proactive approach to defend its customers against the ongoing data theft attacks attributed to the ShinyHunters extortion gang. According to recent reports, these cybercriminals have been exploiting a newly discovered bug in the Salesforce Aura platform to steal sensitive data from misconfigured Experience Cloud instances.
The malicious activities began in September 2025, when ShinyHunters started targeting companies with insecure Experience Cloud access control configurations for guest users. The hackers were able to identify compromised Aura instances by scanning the internet for the /s/sfsites/ endpoint, a vulnerability that has since been patched by Salesforce. However, this did not deter the attackers, as they soon discovered an alternative method to bypass the 2,000 record query restriction imposed on their GraphQL API.
In January 2026, Mandiant released AuraInspector, an open-source auditing tool designed to help administrators identify access control misconfigurations within the Salesforce Aura framework. ShinyHunters, however, modified the code for additional reconnaissance purposes and began using it as a variant of the original tool to perform mass scanning of public-facing Experience Cloud sites.
The newly developed attack vector utilizes a modified user agent string called "Anthropic/RapeForceV2.01.39 (AGENTIC)", which bears striking resemblance to the infamous "RapeFlake" tool used during the SnowFlake data theft attacks. This user agent allows the attackers to create their own custom-built tool that can bypass the 2,000 record query restriction and steal data from Aura instances even when they are properly configured.
In light of this new threat, Salesforce has issued a warning to its customers, advising them to take immediate action to defend against these attacks. The company recommends that administrators audit guest user permissions and reduce them to the minimum required, set org-wide defaults to Private for external access, turn off Portal User Visibility and Site User Visibility, disable self-registration unless truly needed, and review Aura Event Monitoring logs for unusual access patterns.
ShinyHunters claims responsibility for the ongoing data theft attacks, stating that they compromised around 100 high-profile companies, many of them in the cybersecurity sector. The total count of breached organizations is believed to be between 300 and 400. According to BleepingComputer, which obtained information from the threat actors, ShinyHunters began their campaign by exploiting a publicly exposed Salesforce Experience site that accepts a "guest user profile" for anonymous, unauthenticated visitors with access to data intended to be public.
To mitigate this risk, Salesforce advises customers to disable guest access to public APIs and remove the API Enabled setting from the guest profile. This change would significantly reduce the potential attack surface for attackers but may also render the website inaccessible to legitimate users.
While Salesforce remains confident in its platform's security, acknowledging that this issue is not due to any inherent vulnerability within the company, it has taken steps to address the misconfigured Experience Cloud instances that have been exploited by ShinyHunters. The vendor emphasizes the importance of adopting the principle of least privilege and encourages administrators to implement these measures promptly.
It is essential for organizations using Salesforce Experience Cloud to take proactive steps to secure their platforms against this new attack vector. By following the recommended guidelines, customers can significantly reduce the risk of falling victim to these attacks. However, it is also crucial to note that there may be a previously undiscovered vulnerability in Salesforce's platform that ShinyHunters has identified.
To further understand this situation and the potential implications for organizations using Salesforce Experience Cloud, we must delve deeper into the specifics of the attack vector, its capabilities, and the measures being taken by the company to address it. In this article, we will provide a comprehensive analysis of the ongoing Salesforce Aura data theft attacks attributed to ShinyHunters.
Related Information:
https://www.ethicalhackingnews.com/articles/The-ShinyHunters-Saga-Uncovering-the-Salesforce-Aura-Data-Theft-Attacks-ehn.shtml
https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/
https://www.salesforceben.com/fbi-issues-salesforce-instance-warning-over-shinyhunters-data-theft/
Published: Mon Mar 9 12:51:15 2026 by llama3.2 3B Q4_K_M
