{"id":4784,"date":"2026-03-10T12:36:50","date_gmt":"2026-03-10T12:36:50","guid":{"rendered":"https:\/\/ft365.org\/index.php\/2026\/03\/10\/shinyhunters-targets-hundreds-of-websites-in-new-salesforce-campaign\/"},"modified":"2026-03-10T12:36:50","modified_gmt":"2026-03-10T12:36:50","slug":"shinyhunters-targets-hundreds-of-websites-in-new-salesforce-campaign","status":"publish","type":"post","link":"https:\/\/ft365.org\/index.php\/2026\/03\/10\/shinyhunters-targets-hundreds-of-websites-in-new-salesforce-campaign\/","title":{"rendered":"ShinyHunters Targets Hundreds of Websites in New Salesforce Campaign"},"content":{"rendered":"
\n

\"Photo<\/p>\n<\/div>\n

\n

Salesforce has urged Experience Cloud customers to audit their website configurations after reports that a notorious threat group has already stolen data from hundreds of companies.<\/p>\n

The SaaS giant said that it had been tracking an increase in threat actor activity targeting misconfigurations of publicly accessible sites built using its Experience Cloud platform.<\/p>\n

\u201cSpecifically, we have identified a campaign in which malicious actors are exploiting customers\u2019 overly permissive Experience Cloud guest user configurations to potentially access more data than targeted organizations intended,\u201d it explained.<\/p>\n

The group has been using a customized version of an open source tool originally developed by Mandiant (Aura Inspector) to perform mass scanning of the \/s\/sfsites\/aura API endpoint. The tool apparently identifies vulnerable CRM objects\u00a0and extracts data from misconfigured endpoints, Salesforce said.<\/p>\n

\u201cData harvested in these scans, such as names and phone numbers,\u00a0is often used to build follow-on targeted social engineering and vishing (voice phishing) campaigns,\u201d it continued.<\/p>\n

Read more on ShinyHunters campaigns: New Data Theft Campaign Targets Salesforce via Salesloft App.<\/em><\/p>\n

Salesforce was at pains to point out that the threat actors are exploiting a \u201ccustomer-configured guest user setting, not a platform security flaw.\u201d<\/p>\n

ShinyHunters Gives a Final Warning<\/h2>\n

The infamous ShinyHunters group has claimed responsibility for the campaign. In screenshots from its leak site published on X (formerly Twitter) it claimed to have breached \u201cseveral hundreds\u201d of companies.<\/p>\n

It claims to have compromised around 400 websites and 100 \u201chigh-profile companies.”<\/p>\n

That would suggest that it did indeed use the contact details cited by Salesforce and obtained via the website intrusions in order to perform\u00a0follow-on social engineering, network intrusions and wider data theft.<\/p>\n

Salesforce Urges Immediate Action<\/strong><\/h2>\n

Salesforce claimed that any Experience Cloud customers that are using the guest user profile and have configured permissions \u201cto allow public access to objects and fields not intended to be publicly available\u201d could be affected.<\/p>\n

It urged these customers to:<\/p>\n