ShinyHunters Behind Salesforce Aura Data Theft Campaign

ShinyHunters has claimed responsibility for an active campaign targeting Salesforce Experience Cloud sites. The group says it has breached between 300 and 400 organizations, with around 100 described as high-profile. Salesforce has issued a formal advisory and urges customers to audit their configurations immediately.

The campaign has been running since September 2025. It only became public in early March 2026, after Salesforce published guidance and ShinyHunters posted about the operation on their data leak site.

What Is Being Targeted

Salesforce Experience Cloud lets organizations build customer-facing web portals connected directly to their Salesforce CRM. These portals support unauthenticated access through a dedicated guest user profile, which allows visitors to view public pages or submit forms without logging in.

The problem arises when that guest user profile is configured with permissions that are toobroad. If a guest profile has API access enabled and object-level permissions set too loosely, an unauthenticated visitor can query CRM records directly through the /s/sfsites/aura endpoint. No credentials required.

Salesforce is clear that this is a configuration issue, not a platform vulnerability. The data exposed depends on what each organization has inadvertently made accessible, but confirmed data types include names, phone numbers, and CRM records.

How ShinyHunters Executed the Attack

The group began by scanning the internet for publicly accessible /s/sfsites/ endpoints to identify potential targets. Once a misconfigured instance was found, they could extract CRM data without authenticating.

An early technical limitation slowed them down. Salesforce's GraphQL API returns a maximum of 2,000 records per query. ShinyHunters found that abusing the sortBy parameter bypassed this restriction. That allowed them to pull data in bulk. Salesforce subsequently closed that bypass.

In January 2026, Mandiant released an open-source tool called AuraInspector. It was designed to help Salesforce administrators detect access control misconfigurations within Experience Cloud environments. ShinyHunters modified the tool's code and repurposed it for mass automated scanning and data extraction.

Mandiant's chief technology officer confirmed the misuse. His statement noted that the modified tool was being used to automate vulnerability scans across Salesforce environments, and that detecting scanning activity in an organization's logs does not itself confirm a compromise.

A Disputed Claim

Salesforce maintains there is no vulnerability in its platform. The company attributes all data theft to misconfigured customer environments.

ShinyHunters disputes this. The group claims that after Salesforce patched the sortBy bypass, they found a new method to circumvent the 2,000-record limit. More significantly, they claim this new technique allows data extraction from Aura instances even when those instances are properly configured. They have not disclosed technical details and say they will not do so until their exploitation phase is complete.

This claim has not been independently verified. Salesforce continues to deny any platform-level flaw.

Who Has Been Named

ShinyHunters posted a listing titled "Salesforce Aura Campaign" on their leak site. The post warns affected organizations to respond or face public data exposure. Named companies include LastPass, Okta, AMD, and Snowflake.

LastPass confirmed awareness of the campaign and said it was working with Salesforce to investigate. The company stated there was no evidence linking the Salesforce incident to a separate phishing campaign reported the previous week.

Other named organizations have not publicly commented.

What Salesforce Is Telling Customers

Salesforcehas laid out a clear set of remediation steps. The core recommendation is to enforce a least-privilege model for guest user profiles. Specific actions include:

• Disable APIaccess for guest profiles by unchecking "API Enabled" in the guest user profile's system permissions
• Set org-widesharing defaults to Private to restrict what data is accessible
• Disable Portal User Visibility and Site User Visibility to prevent guest users from enumerating internal org members
• Disable self-registration if it is not required for site functionality
• Review AuraEvent Monitoring logs for unusual IP addresses or query patterns

Disabling public API access for guest profiles closes the specific vector used in this campaign.

The Broader Pattern

This is not the first time ShinyHunters has targeted Salesforce customers. Previous campaigns ran through compromised third-party integrations, including Salesloft and Gainsight. The group was also responsible for the 2024 Snowflake breach campaign, which affected a significant number of enterprise organizations.

The current campaign follows the same extortion playbook. Data is stolen, listed on the leak site, and victims are given a window to pay before public disclosure.

For any organization running Salesforce Experience Cloud, the advisory is worth acting on now. Guest user permissions are easy to overlook during implementation and rarely revisited afterward. This campaign is a direct result of that gap.