ShinyHunters claims it's behind ongoing Salesforce Aura data theft assault, warns more attacks to come

News
By published

Salesforce says no bugs being exploited

Salesforce logo next to a cartoon man with a large blue plug and socket, and cloud background
(Image credit: alkwarismi15, Pixabay, Salesforce)
  • ShinyHunters claim Salesforce Aura data theft
  • Attackers exploited misconfigured guest user permissions
  • Roughly 100 high-profile organizations reportedly impacted

Infamous ransomware operators ShinyHunters have claimed they are behind the ongoing Salesforce Aura data theft assault, and have warned that more attacks are to come.

Starting in September 2025, the crooks spent several months scanning public-facing Salesforce Experience Cloud instances, a platform that lets organizations build web portals connected directly to their Salesforce CRM data.

For the scanning, they used a modified version of AuraInspector, a misconfiguration detection tool originally developed by Mandiant. The tool probed exposed API endpoints to identify portals where guest user profiles had excessive permissions.

Article continues below

Research preview

After identifying vulnerable sites, the attackers used a separate, unnamed custom tool, to bypass the guest user record limits and extract Salesforce CRM data without authentication. The stolen information, including names and phone numbers, was then used for follow-on social engineering and voice phishing campaigns.

Speaking to The Register, a spokesperson for the hacking collective confirmed that roughly 100 high-profile organizations were affected by this campaign:

"Have stolen data from almost 400 websites and about 100 essential high profile companies Snowflake, Okta, Lastpass, Salesforce itself, Sony, AMD, and a lot more," the person allegedly said. Recon and exploitation “has been going on for several months now," they added.

This past weekend, Salesforce warned its customers about a “known threat actor group” that was actively scanning public-facing Experience Cloud sites. It did not want to say how many companies fell victim, or how much data was stolen, but it did say that the crooks were not exploiting a vulnerability:

"This issue is not due to any vulnerability inherent to the Salesforce platform, but rather Experience Cloud sites where a guest user profile has been inadvertently configured with overly broad permissions," a representative said.

However, the group apparently told CyberInsider it was indeed exploiting a flaw in the product. “However, they have decided not to disclose any details about the flaw until the exploitation phase is over,” the publication claims.

So far, the companies ShinyHunters mentioned are keeping quiet, with the exception of LastPass, which said it was looking into the claims.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.