ShinyHunters breach hits 100+ companies.
What happened
ShinyHunters exploited Salesforce Experience Cloud misconfigurations, impacting 100+ companies and highlighting identity control gaps.
Why it matters
The ShinyHunters group is actively exploiting misconfigured Salesforce Experience Cloud sites, gaining access through guest accounts with overly permissive settings. They are using a modified version of the AuraInspector tool to target the /s/sfsites/aura API endpoint, bypassing data query limitations to steal data. Salesforce emphasizes this is a customer configuration issue, not a platform vulnerability. ShinyHunters claims to have compromised between 300 and 400 organizations, including many in the cybersecurity sector. The group began targeting these misconfigurations in September 2025, scanning for the /s/sfsites/ endpoint. Stolen data often includes names and phone numbers, which can be used for follow-on social engineering and vishing campaigns. Salesforce advises customers to review guest user permissions, enforce least privilege, and restrict API access for unauthenticated users. They also recommend disabling self-registration if not required and monitoring Aura Event Monitoring logs for suspicious activity. Disabling public APIs is considered the highest-impact change. This is not the first time ShinyHunters has targeted Salesforce environments. They have previously used vishing to obtain Okta SSO credentials and exploited third-party integrations like Gainsight. The group has also been known to target other SaaS platforms and luxury brands.
Key numbers
- ShinyHunters exploited Salesforce Experience Cloud misconfigurations, impacting 100+ companies and highlighting identity control gaps.
- ShinyHunters claims to have compromised between 300 and 400 organizations, including many in the cybersecurity sector.
- The group began targeting these misconfigurations in September 2025, scanning for the /s/sfsites/ endpoint.
What happens next
- They are using a modified version of the AuraInspector tool to target the /s/sfsites/aura API endpoint, bypassing data query limitations to steal data.
- The group has also been known to target other SaaS platforms and luxury brands.
Sources
Quick answers
What happened in ShinyHunters breach hits 100+ companies.?
ShinyHunters exploited Salesforce Experience Cloud misconfigurations, impacting 100+ companies and highlighting identity control gaps.
Why does ShinyHunters breach hits 100+ companies. matter?
The ShinyHunters group is actively exploiting misconfigured Salesforce Experience Cloud sites, gaining access through guest accounts with overly permissive settings. They are using a modified version of the AuraInspector tool to target the /s/sfsites/aura API endpoint, bypassing data query limitations to steal data. Salesforce emphasizes this is a customer configuration issue, not a platform vulnerability. ShinyHunters claims to have compromised between 300 and 400 organizations, including many in the cybersecurity sector. The group began targeting these misconfigurations in September 2025, scanning for the /s/sfsites/ endpoint. Stolen data often includes names and phone numbers, which can be used for follow-on social engineering and vishing campaigns. Salesforce advises customers to review guest user permissions, enforce least privilege, and restrict API access for unauthenticated users. They also recommend disabling self-registration if not required and monitoring Aura Event Monitoring logs for suspicious activity. Disabling public APIs is considered the highest-impact change. This is not the first time ShinyHunters has targeted Salesforce environments. They have previously used vishing to obtain Okta SSO credentials and exploited third-party integrations like Gainsight. The group has also been known to target other SaaS platforms and luxury brands.
