Salesforce has issued a warning to its customers regarding a new data theft and extortion campaign orchestrated by the notorious cybercrime group, ShinyHunters.

Since mid-2025, ShinyHunters has been actively targeting various organizations' Salesforce instances using social engineering tactics and other exploitative methods.

Last year's incidents attributed to ShinyHunters resulted in millions of sensitive data records being compromised and subsequently leaked.

Salesforce stated that these data breaches stemmed from phishing attacks, the misuse of third-party integrations, or misconfigurations, rather than from any inherent vulnerabilities in their products or systems.

In a recent blog post dated March 7, Salesforce alerted customers about ongoing attacks that exploit misconfigurations and publicly accessible sites.

“We have identified a campaign wherein malicious actors are taking advantage of customers’ overly permissive Experience Cloud guest user configurations to access more data than the targeted organizations intended,” Salesforce explained.

“It is crucial to emphasize that Salesforce remains secure, and this situation is not attributable to any vulnerability within our platform. Our ongoing investigation confirms that this activity relates to a customer-configured guest user setting, not a security flaw in our system,” they added.

Furthermore, Salesforce revealed that the threat actor has misused a modified version of an open-source tool called Aura Inspector, which was originally developed by Mandiant for auditing Salesforce Aura instances and identifying data exposures.

“While the original Aura Inspector is restricted to identifying vulnerable objects by probing specific API endpoints exposed by these sites (namely the /s/sfsites/aura endpoint), the actor has created a custom version of the tool capable of not only identifying but also extracting data—by exploiting overly permissive guest user settings,” Salesforce elaborated.

Although Salesforce has not publicly named the threat actor, the ShinyHunters group has claimed responsibility for the attack, asserting that they targeted “several hundreds of companies” as part of their so-called ‘Salesforce Aura Campaign’.

The cybercriminal organization has threatened to publish the stolen information from the Salesforce instances of companies that fail to meet their extortion demands.

Related Topics: Wynn Resorts Confirms Data Breach After Hackers Remove It From Leak Site.

Related Topics: ShinyHunters-Branded Extortion Activity Expands, Escalates.

Related Topics: Hackers Extorting Salesforce After Stealing Data From Dozens of Customers.

As the situation develops, it remains imperative for Salesforce users to review their guest user configurations and implement stricter security controls to safeguard against such cyber threats.

Source: SecurityWeek News