“Pay Up or Become the Next Headline”: ShinyHunters Threaten Hacked Salesforce Customers  


The ShinyHunters hacking group is threatening to expose compromised companies, telling them to “pay a small price” or become “the next headline”. 

The hackers, who have been targeting hundreds of companies via their Salesforce instances since 2025 and are believed to be behind recent Experience Cloud hacks, said in a March 9 update that businesses that do not comply with their demands face a complete data leak. 

‘Reply, Engage, Pay a Small Price’

Salesforce consistently stresses that its own software is not the issue when it comes to these campaigns, and Salesforce “remains secure”. 

The company says in a security update: “This issue is not due to any vulnerability inherent to our platform. Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw.” 

Salesforce has published guidance to help customers take the right action to secure their orgs.

According to Cyber Daily, ShinyHunters said in an update last week: “Several hundreds of companies set to release with FINAL WARNINGs upon failure to comply. To all affected companies who will be or are being contacted by us (‘ShinyHunters’), please consider this a preliminary warning before we release your name with FINAL WARNING or a complete data leak.

“Reply, engage, pay a small price, and prevent a publication. Make the right decision, don’t be the next headline.”

A modified version of Aura Inspector is being used by the hackers to scan for public-facing Experience Cloud sites, identify exposed API endpoints, and extract data when guest user settings are “overly permissive”, it is understood.

READ MORE: Why Salesforce Orgs Got Hacked So Much in 2025 – And How to Avoid This in 2026

Salesforce says that, in a publicly accessible Salesforce Experience site, anonymous visitors share a “guest user profile”, which is typically used to give an unauthenticated user access to data that is expected to be made publicly available. 

But, if this profile is misconfigured with “excessive permissions”, data that is not meant to be made public could be accessible, allowing malicious actors to directly query Salesforce CRM objects without logging in. 

Experience Cloud customers could be at risk of the hacking group if they are using the guest user profile, and they have configured permissions to allow public access to objects and fields not meant to be publicly available.

Salesforce warns how the threat actor activity reflects a broader trend of “identity-based” targeting, with data harvested in these scans often used for follow-up social engineering and “vishing” (voice phishing) campaigns.

Salesforce reminded admins of the importance of keeping the principle of least privilege in mind. They also recommended the following steps to further secure their Salesforce orgs:

  1. Audit Guest User Configurations: Review your guest user profile to make sure it is restricted to the absolute minimum objects and fields needed for your site to function.
  2. Set Org Wide Defaults to “Private”: In Sharing Settings, make sure the Default External Access for all objects is set to Private
  3. Disable Public APIs: Make sure “Allow guest users to access public APIs” is unchecked in your site settings, along with “API Enabled” in the guest user profile’s System Permissions. 
  4. Restrict Visibility: Uncheck “Portal User Visibility” and “Site User Visibility” in Sharing Settings to stop guest users from enumerating internal org members.
  5. Disable Self-Registration if Not Required: If your site does not need unauthenticated visitors to create their own accounts, disable self-registration.
  6. Review Your Enhanced Personal Information Masking (EPIM) Configuration: When “Let guest users see other members of this site” is enabled, standard User object fields could be visible to guest and external users.
  7. Enable Profile Filtering: When Profile Filtering is not enabled, guest users might be able to access profiles in your org, including internal profiles.
  8. Enable Show Nicknames: Turning on “Show Nicknames” masks users’ real names for other site members.
  9. Review Field-Level Security for Non-User Objects: EPIM only protects the User object; for every other object where sensitive data exists, Field-Level Security (FLS) is the appropriate control for guest and external users.

Undertaking these changes can have unintended effects and should be undertaken with a strong understanding of record access, sharing rules, or as part of a broader security SF Ben strongly recommends trialing these changes first in a Sandbox. 

SF Ben has contacted Salesforce for comment. 

Final Thoughts

The ShinyHunters campaign once again shines a spotlight on the problem with overly permissive user settings. Salesforce has, throughout this campaign, repeatedly stressed how its own software is not compromised – but customers are continuing to become compromised and should take steps to prevent or mitigate attacks. 

The warning from ShinyHunters – that affected companies comply with their demands or risk becoming “the next headline” – is a worrying sign of things to come.

Leave a Reply

Your email address will not be published. Required fields are marked *