ShinyHunters Exploits Salesforce Experience Cloud Misconfigurations in Large-Scale Data Theft The hacking group ShinyHunters has claimed responsibility for stealing data from approximately 100 major companies by exploiting misconfigurations in Salesforce’s Experience Cloud platform. According to reports, the group accessed information from around 400 websites and organizations, including high-profile targets like Snowflake, Okta, LastPass, Sony, AMD, and Salesforce itself. Salesforce confirmed that a "known threat actor group" is actively scanning public-facing Experience Cloud sites portals used for customer, partner, and employee interactions due to overly permissive guest user configurations. The company clarified that the issue stems from customer-defined guest user profiles, not a vulnerability in Salesforce’s core platform. ### How the Attack Works Experience Cloud sites can be configured to allow guest users (unauthenticated visitors) to view public pages and submit forms. However, if these guest profiles are granted excessive permissions, attackers can query and extract CRM data that was never intended to be public. ShinyHunters reportedly used a modified version of AuraInspector, an open-source tool originally designed by Mandiant to detect misconfigurations in Salesforce’s Aura endpoints. The altered tool enables mass scanning of public-facing sites, extracting data when guest permissions are too broad. ### ShinyHunters’ Track Record Active since 2019, ShinyHunters has been linked to numerous high-profile breaches, often employing "pay or leak" tactics demanding ransoms to prevent data exposure. Recent incidents include the 2024 Snowflake breach, as well as attacks on universities and consumer platforms, leveraging phishing, social engineering, and SaaS misconfigurations. ### The Broader Risk of Misconfiguration This incident highlights a persistent cybersecurity challenge: misconfiguration remains a leading attack vector. While SaaS platforms like Salesforce offer robust security controls, human error in permission settings can expose sensitive data. Experience Cloud’s flexibility designed for public-facing portals becomes a liability when guest user profiles are improperly configured, allowing unauthorized access to CRM records. ### Salesforce’s Response & Mitigation Steps Salesforce has urged customers to: - Audit guest user permissions across all Experience Cloud sites. - Set default external access to "private" to block unauthenticated queries. - Disable guest access to public APIs and remove API-enabled permissions from guest profiles. - Monitor logs for unusual activity, such as large-scale scanning attempts. The incident underscores the need for ongoing security reviews rather than one-time configurations, as cloud environments evolve and threat actors refine their tactics. With regulatory scrutiny and reputational risks escalating, enterprises must treat access control and governance as continuous priorities.

The ransomware group ShinyHunters (Scattered Lapsus$ Hunters) breached Salesforce by exploiting stolen OAuth tokens from Salesloft Drift’s AI chatbot integration, compromising 1.5 billion records across 760 companies (including Cisco, Disney, and Marriott). The leaked data includes PII (names, DOBs, passports, employment histories), shipping details, chat transcripts, flight records, and car ownership data—validated by cybersecurity researchers. Attackers first infiltrated Salesloft’s GitHub repository, extracting private source code and OAuth tokens, then laterally moved to Google Workspace, Microsoft 365, and Okta platforms of victims. The group demanded separate ransoms from Salesforce and listed 39 high-profile victims on a darkweb leak site, pressuring them to pay under threat of full data exposure. The attack leveraged social engineering (vishing, phishing, IT impersonation) to trick employees into granting access, highlighting vulnerabilities in third-party supply-chain integrations and weak 2FA/OAuth security controls.

A critical security vulnerability was found in Plantronics Hub software, which has been discontinued by HP. Attackers could escalate privileges using an unquoted search path weakness when combined with OpenScape Fusion for MS Office during startup. The vulnerability takes advantage of a flaw in how Windows handles unquoted paths. Attackers with write access to the C:\ directory can plant malicious files that execute with elevated privileges, allowing them to bypass User Account Control and escalate privileges. As OpenScape Fusion launches Plantronics Hub, the malicious code is executed, leading to privilege escalation. HP has not released a patch but recommends quoting the registry path and restricting write permissions to the C:\ directory as mitigation strategies.

An internal PlayStation character tech demo has been leaked, showcasing an AI-powered version of Aloy from the Horizon franchise. The leaked prototype reveals Sony's explorations into using AI for game development, with Aloy responding to players using AI-generated voice and facial movements. This early glimpse into game character development via AI has sparked concerns among players regarding the potential loss of a personal touch and immersion that typical voiceovers and motion capture bring. The video was spread across various platforms, raising issues of intellectual property infringement and stirring discussions on the future implications of AI in the gaming industry.

Grubhub Confirms Data Breach Amid Extortion Demands by ShinyHunters Grubhub has acknowledged a recent data breach after hackers accessed its systems, with sources indicating the company is now facing extortion demands. The food delivery platform confirmed unauthorized access but stated that sensitive data such as financial information or order history remained unaffected. While Grubhub declined to provide further details, including the breach timeline or whether customer data was compromised, it confirmed collaboration with a third-party cybersecurity firm and law enforcement. Multiple sources identified the ShinyHunters cybercrime group as the likely perpetrators, though the threat actors refused to comment when contacted. The extortion demands reportedly involve Bitcoin payments to prevent the release of stolen data, including older Salesforce records from a February 2025 breach and newer Zendesk data accessed in the recent incident. Grubhub uses Zendesk for its customer support chat system, which handles orders, account issues, and billing. The breach appears linked to credentials stolen during the August 2025 Salesloft Drift attacks, where threat actors exploited stolen OAuth tokens to compromise Salesforce integrations. Google’s Mandiant reported that the stolen data including AWS access keys, passwords, and Snowflake tokens was later used in follow-up attacks. ShinyHunters previously claimed responsibility for the Salesloft breach, alleging the theft of 1.5 billion records from 760 companies. This incident follows a separate wave of scam emails sent from Grubhub’s b.grubhub.com subdomain last month, promoting a cryptocurrency scam. While Grubhub stated it contained the issue, it remains unclear whether the two events are connected.

Grubhub Faces Class Action Lawsuit Over January 2025 Data Breach A former Grubhub employee has filed a class action lawsuit against the food delivery platform, alleging the company failed to implement adequate security measures to protect sensitive personal and financial data. The complaint, filed on February 5, 2025, in the U.S. District Court for the Northern District of Illinois, claims cybercriminals accessed the information of tens of thousands of customers and employees in a January 2025 breach. The exposed data reportedly included Social Security numbers, addresses, and financial details. Grubhub notified affected individuals on February 3, 2025, acknowledging the incident. The lawsuit, led by plaintiff Brian Bianchi, accuses Grubhub of negligence in safeguarding user data, potentially leaving victims vulnerable to identity theft and fraud. The case highlights growing scrutiny over corporate cybersecurity practices and the legal consequences of failing to protect consumer information. No further details on the breach’s scope or the attackers’ methods have been disclosed.

The renowned ransomware group Ransomed. vc reported a new victim today in the form of the major Japanese telecommunications company NTT Docomo in response to the newly disclosed Sony data leak. Notably, the statement coincided nearly exactly with the release of additional Sony data leaks that shed some light on the data breach's predecessor. The largest NTT Docomo is being asked to pay $1,015,000 to the bad actors. The bad guys released the stolen data after Sony declined to fulfill the ransom demands. It was discovered that if businesses don't pay, hackers will release the data they've stolen, which could result in regulatory penalties that occasionally exceed the ransom.

In 2014, Sony Pictures Entertainment suffered a massive cyberattack resulting in the loss of over 100 Terabytes of data containing confidential company information. This breach not only led to financial losses estimated to be well over $100 million but also severely damaged the company’s reputation. The attack was conducted through phishing emails, where the attackers disguised themselves as colleagues using fake Apple ID verification emails. Utilizing a combination of LinkedIn data and compromised Apple ID logins, the assailants were able to acquire passwords that matched those used for Sony’s network. This significant incident underscores the importance of enforcing robust cybersecurity measures and the necessity of employing unique passwords for different online services to mitigate the risk of such breaches.