ShinyHunters ‘Breach 400 Companies’ via Salesforce Experience Cloud

Salesforce is warning customers to be aware of threat activity targeting public-facing Experience Cloud sites – as the ShinyHunters hacking group claims to be exploiting a new bug. 

The danger stems from attempts to take advantage of “overly permissive” guest user configurations, the company says in a trust site post reminiscent of the voice phishing incidents of late 2025.

Protect Your Org from Experience Cloud Threat

ShinyHunters have claimed responsibility for Salesforce Aura/Experience Cloud data theft attacks, in a post on their data leak site, according to BleepingComputer. Mandiant Consulting told the outlet that hackers were using AuraInspector to try to breach companies.

Charles Carmakal, Mandiant chief technology officer, said: “We are aware of a threat actor attempting to facilitate intrusions by misusing the AuraInspector open-source tool to automate vulnerability scans across Salesforce environments.”

ShinyHunters are reportedly claiming to have compromised roughly 100 high-profile companies, many of them in cybersecurity. Hackers told BleepingComputer that the total number of breached organizations is somewhere between 300 and 400.

The threat actor said that in September 2025, they began compromising companies with insecure Experience Cloud access control configurations for guest users. They were also reportedly identifying Aura instances by scanning the internet for the /s/sfsites/ endpoint.

But the hackers said that, because of a Salesforce limitation, they could only query 2,000 records at a time through the company’s GraphQL API, which slowed down the data theft process. But it is also claimed that the hacker found the sortBy parameter, which bypassed the restriction.

Salesforce said in a trust site post that they have not identified “any vulnerability inherent to the Salesforce platform” associated with the threat activity. 

The company has been proactively warning that these attempts are focused on customer configuration settings that, if not properly secured, “may increase exposure”.

Salesforce is telling customers to review their Experience Cloud guest user settings and take the following immediate recommended actions.

Audit Guest User Configurations 

Review your guest user profile to ensure it is restricted to the absolute minimum objects and fields required for your site to function. 

Navigate to Setup → All Sites →  [Your Site] →  Builder →  Settings →  General →  Guest User Profile. 

For every object permission listed, ask if an unauthenticated site visitor really needs access to those records. Remove anything that is not clearly required. Start from zero access and restore only what the tested functionality requires.

Set Org Wide Defaults to “Private”

In Sharing Settings, make sure that the org-wide defaults for all objects are set to Private for external users. Ensure that Secure guest user record access is enabled. 

Guest users can’t access any record unless you have explicitly made a sharing rule granting access.

Disable Public APIs

The highest-impact single change you can make, according to Salesforce, is to disable Allow guest users to access public APIs. 

In the guest user profile’s System Permissions, uncheck “API Enabled”. This closes the Aura endpoint to unauthenticated API queries, which is the exact vector used in this campaign.

Restrict Visibility

Uncheck “Portal User Visibility” and “Site User Visibility” in Sharing Settings to stop guest users from enumerating internal org members.

Disable Self-Registration if Not Required

If your site does not need unauthenticated visitors to create their own accounts, disable self-registration. 

Data accessible through guest user misconfigurations could be used to self-register portal accounts, escalating a guest-tier exposure into an authenticated session with broader data access.

If self-registration is needed for your site to function, make sure the registration handler runs with sharing, assigns the most restrictive profile available, and requires email verification before the account is activated.

Experience Cloud Threat Explained 

Salesforce Security has been tracking a rise in threat actor activity targeting misconfigurations of publicly accessible sites. 

They have identified a campaign in which malicious actors are “exploiting customers’ overly permissive Experience Cloud guest user configurations” to possibly access more data than targeted organizations intended.

“It is important to note that Salesforce remains secure, and this issue is not due to any vulnerability inherent to our platform,” Salesforce says.

The company outlines in a blog post that their investigation to date confirms that the activity relates to a customer-configured guest user setting, not a platform security flaw. 

Salesforce’s Cyber Security Operations Center (CSOC) has been monitoring a campaign by a “known threat actor group”.

The company says that evidence indicates the threat actor is leveraging a modified version of the open-source tool Aura Inspector (originally developed by Mandiant) to “perform mass scanning of public-facing Experience Cloud sites”. 

Final Thoughts

The ShinyHunters threat group seems to be back with another Salesforce hacking campaign – reminiscent of the ‘voice phishing’ attacks of last year. 

Admins should take the recommended steps above to secure their orgs.