"We have identified a campaign in which malicious actors are exploiting customers' overly permissive Experience Cloud guest user configurations to potentially access more data than targeted organizations intended. It is important to note that Salesforce remains secure, and this issue is not due to any vulnerability inherent to our platform."
"While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data - exploiting overly permissive guest user settings."
"Since mid-2025, ShinyHunters has been targeting the Salesforce instances of many organizations using social engineering and other tactics. According to Salesforce, all the data breaches were the result of phishing, abuse of third-party integrations, or misconfigurations rather than vulnerabilities in its products or systems."
ShinyHunters has launched a new campaign targeting Salesforce customers since mid-2025, exploiting misconfigurations and social engineering tactics rather than platform vulnerabilities. Salesforce confirmed that breaches result from phishing, third-party integration abuse, and improper configurations. The threat actors exploit overly permissive Experience Cloud guest user settings to access unintended data. They use a modified version of Aura Inspector, an open-source auditing tool, enhanced to extract data beyond identification capabilities. Salesforce emphasizes its platform remains secure, with incidents stemming from customer configuration issues rather than inherent security flaws.
Read at SecurityWeek
Unable to calculate read time
Collection
[
|
...
]