SALESFORCE has warned customers about ongoing attacks linked to the ShinyHunters cybercrime group, which has announced a new data theft and extortion campaign targeting Salesforce instances. Since mid-2025, ShinyHunters has been targeting customer deployments using social engineering and other tactics, with last year’s incidents resulting in millions of data records compromised and leaked.
According to Salesforce, the breaches arose from phishing, abuse of third-party integrations, or misconfigurations rather than flaws in its products or systems. Salesforce said a campaign exploits customers’ overly permissive Experience Cloud guest user configurations to access more data than intended, while noting that the issue stems from a customer-configured guest user setting, not a platform vulnerability.
The group has abused a modified version of Aura Inspector to extract data, going beyond identification of exposures to actually exfiltrate information. ShinyHunters claimed responsibility for the attack, saying it targeted “several hundreds of companies” as part of the Salesforce Aura Campaign.