Cybercrime group ShinyHunters has claimed responsibility for ongoing data theft attacks targeting Salesforce’s Experience Cloud platform, specifically vulnerabilities in Aura instances. The hackers assert they have compromised 300-400 companies, particularly in the cybersecurity sector, by exploiting misconfigured guest user profiles that allow unauthorized access to CRM data without login credentials. Salesforce has issued urgent advisories urging customers to audit and secure their configurations, emphasizing that the issue stems from customer-side settings rather than platform flaws.
Attack Techniques and Tools
ShinyHunters began exploiting these issues in September 2025, scanning public /s/sfsites/aura endpoints to identify misconfigured sites. They modified Mandiant’s open-source tool AuraInspector—originally designed for admins to detect data exposure—for mass scanning and reconnaissance. This tool queries GraphQL APIs, bypassing the 2,000-record limit using the sortBy parameter to extract sensitive data like PII and financial records.
The group then deployed a custom extractor called RapeForceV2.01.39 (AGENTIC) with a user agent mimicking Snowflake attacks (RapeFlake). Recently, they claim to have found a new vulnerability affecting even properly configured instances, using standard browser user agents like Mozilla/5.0 (Windows NT 10.0…). Salesforce patched the GraphQL bypass, but the latest claims remain unverified.
Salesforce Security Recommendations
Salesforce attributes the breaches to overly permissive guest user profiles in Experience Cloud, where unauthenticated visitors can query CRM objects if API access is enabled. The company recommends immediate actions following the Principle of Least Privilege.
- Audit and minimize guest user permissions.
- Disable API Enabled on guest profiles.
- Set organization-wide defaults to Private.
- Turn off Portal/Site User Visibility.
- Disable self-registration if unnecessary.
- Review Aura Event Monitoring logs for suspicious IPs or queries.
Mandiant CTO Charles Carmakal confirmed AuraInspector misuse but noted that scanning alone does not imply compromise.
Impact and Broader Implications
This campaign endangers CRM data across high-profile targets, with ShinyHunters boasting breaches of 100 notable firms. Disabling public access prevents attacks but may disrupt guest features. Cybersecurity experts highlight misconfigurations as a persistent risk in SaaS environments, urging Salesforce users to act swiftly. Ongoing monitoring is critical as the group evolves tactics.
About the author – Ayesha Aayat is a law student and contributor covering cybercrime, online frauds, and digital safety concerns. Her writing aims to raise awareness about evolving cyber threats and legal responses.
