Threat Actors Exploit Modified AuraInspector Tool to Harvest Data from Misconfigured Salesforce Sites On March 10, 2026, Salesforce’s Cybersecurity Operations Center (CSOC) warned of a campaign in which threat actors are mass-scanning publicly accessible Salesforce Experience Cloud sites using a modified version of the AuraInspector tool. Originally developed by Google/Mandiant, AuraInspector is an open-source command-line utility designed to audit Salesforce Aura and Experience Cloud applications for data exposure risks by simulating unauthenticated or guest user access. Attackers have adapted the tool to exploit overly permissive guest user settings, enabling them to extract sensitive CRM data including Accounts, Contacts, and Leads via exposed Aura endpoints, record lists, or GraphQL controllers. While the original AuraInspector only identifies vulnerabilities, the modified version actively harvests data from misconfigured environments. Salesforce confirmed that the activity does not stem from a platform vulnerability but rather from customer misconfigurations, particularly in Experience Cloud guest user permissions. Exposed data could be leveraged for targeted social engineering or vishing attacks. The company attributes the campaign to a known threat actor group, potentially ShinyHunters, which has previously targeted Salesforce environments through third-party applications. Salesforce advises organizations to review and secure guest user settings, restrict public access, disable unnecessary APIs, and monitor logs to mitigate risks.

The Salesforce data breach involved the ShinyHunters (UNC6240) hacking group, which exploited stolen OAuth tokens from Salesloft’s GitHub account to infiltrate Drift’s Salesforce integration and subsequently compromise Gainsight, a customer process management platform. The attackers gained unauthorized access to over 200 Salesforce instances, exfiltrating enterprise customer data through third-party service integrations (including HubSpot and Zendesk). While Salesforce revoked access keys and removed affected apps from the AppExchange, the breach exposed sensitive customer data, though the full scope of the leak remains undisclosed. The attack leveraged supply-chain vulnerabilities rather than a direct Salesforce platform flaw. ShinyHunters claimed delayed detection (1–2 weeks post-intrusion) and sought internal accomplices for further exploitation. Salesforce refused ransom demands, but the incident highlights risks in third-party integrations and credential-based attacks.

The incident at Gainsight stemmed from a downstream effect of the August 2025 Salesloft breach, where the Scattered Lapsus$ Hunters group stole OAuth tokens tied to Salesloft’s Drift AI chat integration with Salesforce. These tokens granted unauthorized API access to 760 Salesforce instances, leading to the exfiltration of 1.5 billion records, including passwords, AWS keys, and Snowflake tokens.A subgroup, ShinyHunters, exploited the stolen credentials to breach Gainsight’s systems, extracting customer contact data (names, business emails, phone numbers, regional details), licensing information, and support case contents. Salesforce responded by revoking all active Gainsight-associated tokens and temporarily removing its apps from the AppExchange to mitigate further exposure. While Salesforce clarified that its platform itself was not vulnerable, the breach originated from Gainsight’s external app connections, compromising sensitive corporate and customer data across hundreds of organizations.

The Clop ransomware gang exploited a critical zero-day vulnerability (CVE-2025-61882) in Oracle E-Business Suite (EBS), specifically within the BI Publisher Integration component, to conduct data theft attacks since at least August 2025. The flaw allowed unauthenticated remote code execution (RCE) via a single HTTP request, enabling attackers to steal sensitive corporate documents from unpatched systems. Oracle patched the vulnerability in early October 2025, but not before Clop launched an extortion campaign, emailing executives at multiple victim organizations to demand ransoms in exchange for not leaking the stolen data.The attack leveraged a vulnerability chain exposed by leaked proof-of-concept (PoC) exploits from the Scattered Lapsus$ Hunters group, increasing the risk of further exploitation by other threat actors. Clop’s campaign mirrors past high-profile breaches, including MOVEit Transfer (2,770+ organizations affected), Accellion FTA, and GoAnywhere MFT, reinforcing its reputation for large-scale data theft via zero-days. Oracle urged immediate patching, warning that internet-exposed EBS applications remain prime targets. The U.S. State Department has even offered a $10 million reward for intelligence linking Clop to foreign state sponsorship, underscoring the attack’s severity.

Gainsight, a customer management software firm, experienced a security breach that compromised a limited number of its clients' data. The incident was confirmed by CEO Chuck Ganapathi and involved the exposure of Salesforce customer tokens, which are critical for authentication and access control within Salesforce ecosystems. While the breach did not result in a large-scale data leak, the compromise of these tokens poses risks such as unauthorized access to customer accounts, potential phishing attacks, or further exploitation of linked systems. The breach highlights vulnerabilities in third-party integrations, particularly those tied to major platforms like Salesforce. Although the impact was contained to a subset of clients, the exposure of authentication tokens could lead to reputational damage for Gainsight, erosion of customer trust, and potential financial repercussions if affected clients face downstream security incidents. The company has not disclosed whether the breach was due to a targeted cyber attack, a vulnerability exploitation, or an internal misconfiguration, but the involvement of Salesforce tokens suggests a sophisticated intrusion method.

Gainsight, a customer success management software firm, experienced a security breach that compromised a limited number of its clients' data. The incident was linked to the exposure of Salesforce customer tokens, which are critical for authentication and access within the Salesforce ecosystem. CEO Chuck Ganapathi confirmed that while the breach impacted Gainsight’s systems, only a subset of clients had their data compromised. The nature of the breach suggests unauthorized access to sensitive customer-related credentials, potentially enabling further exploitation if misused. Although the exact scope of the stolen data remains undisclosed, the involvement of Salesforce tokens indicates a risk of downstream attacks, such as unauthorized access to client accounts or systems integrated with Gainsight. The breach underscores vulnerabilities in third-party SaaS platforms and the cascading risks posed by credential-based attacks in enterprise software supply chains.