ShinyHunters breach hits 100+ companies.

The ShinyHunters group is actively exploiting misconfigured Salesforce Experience Cloud sites, gaining access through guest accounts with overly permissive settings. They are using a modified version of the AuraInspector tool to target the /s/sfsites/aura API endpoint, bypassing data query limitations to steal data. Salesforce emphasizes this is a customer configuration issue, not a platform vulnerability. ShinyHunters claims to have compromised between 300 and 400 organizations, including many in the cybersecurity sector. The group began targeting these misconfigurations in September 2025, scanning for the /s/sfsites/ endpoint. Stolen data often includes names and phone numbers, which can be used for follow-on social engineering and vishing campaigns. Salesforce advises customers to review guest user permissions, enforce least privilege, and restrict API access for unauthenticated users. They also recommend disabling self-registration if not required and monitoring Aura Event Monitoring logs for suspicious activity. Disabling public APIs is considered the highest-impact change. This is not the first time ShinyHunters has targeted Salesforce environments. They have previously used vishing to obtain Okta SSO credentials and exploited third-party integrations like Gainsight. The group has also been known to target other SaaS platforms and luxury brands.