ShinyHunters Exploits Salesforce Experience Cloud Misconfigurations in Large-Scale Data Theft The hacking group ShinyHunters has claimed responsibility for stealing data from approximately 100 major companies by exploiting misconfigurations in Salesforce’s Experience Cloud platform. According to reports, the group accessed information from around 400 websites and organizations, including high-profile targets like Snowflake, Okta, LastPass, Sony, AMD, and Salesforce itself. Salesforce confirmed that a "known threat actor group" is actively scanning public-facing Experience Cloud sites portals used for customer, partner, and employee interactions due to overly permissive guest user configurations. The company clarified that the issue stems from customer-defined guest user profiles, not a vulnerability in Salesforce’s core platform. ### How the Attack Works Experience Cloud sites can be configured to allow guest users (unauthenticated visitors) to view public pages and submit forms. However, if these guest profiles are granted excessive permissions, attackers can query and extract CRM data that was never intended to be public. ShinyHunters reportedly used a modified version of AuraInspector, an open-source tool originally designed by Mandiant to detect misconfigurations in Salesforce’s Aura endpoints. The altered tool enables mass scanning of public-facing sites, extracting data when guest permissions are too broad. ### ShinyHunters’ Track Record Active since 2019, ShinyHunters has been linked to numerous high-profile breaches, often employing "pay or leak" tactics demanding ransoms to prevent data exposure. Recent incidents include the 2024 Snowflake breach, as well as attacks on universities and consumer platforms, leveraging phishing, social engineering, and SaaS misconfigurations. ### The Broader Risk of Misconfiguration This incident highlights a persistent cybersecurity challenge: misconfiguration remains a leading attack vector. While SaaS platforms like Salesforce offer robust security controls, human error in permission settings can expose sensitive data. Experience Cloud’s flexibility designed for public-facing portals becomes a liability when guest user profiles are improperly configured, allowing unauthorized access to CRM records. ### Salesforce’s Response & Mitigation Steps Salesforce has urged customers to: - Audit guest user permissions across all Experience Cloud sites. - Set default external access to "private" to block unauthenticated queries. - Disable guest access to public APIs and remove API-enabled permissions from guest profiles. - Monitor logs for unusual activity, such as large-scale scanning attempts. The incident underscores the need for ongoing security reviews rather than one-time configurations, as cloud environments evolve and threat actors refine their tactics. With regulatory scrutiny and reputational risks escalating, enterprises must treat access control and governance as continuous priorities.