SHINYHUNTERS Targets Hundreds of Websites in New Salesforce Campaign reports that Salesforce has urged Experience Cloud customers to audit their website configurations after claims that a notorious threat group has already stolen data from hundreds of companies, according to Salesforce.
The company said it has been tracking an increase in threat actor activity exploiting misconfigurations of publicly accessible sites built using Experience Cloud, with a campaign in which malicious actors exploit overly permissive guest user configurations to potentially access more data than intended.
The group is using a customised version of an open source tool originally developed by Mandiant (Aura Inspector) to mass-scan the /s/sfsites/aura API endpoint, detecting vulnerable CRM objects and extracting data from misconfigured endpoints. Data harvested in these scans, such as names and phone numbers, is often used to build follow-on social engineering and vishing campaigns.
ShinyHunters has claimed responsibility, saying it compromised around 400 websites and 100 high-profile companies in screenshots published on X. Salesforce urged customers using the guest user profile to restrict access and review logs for unusual activity.