Salesforce Sounds Alarm Over Fresh Data Extortion Campaign

CRM-Obsessed ShinyHunters Gang Exploits Misconfigured Customer Experience Portals Mathew J. Schwartz (euroinfosec) • March 10, 2026

A prolific and noisy cybercrime gang with a penchant for stealing Salesforce customers' data and holding it ransom is taking advantage of misconfigured guest accounts meant to provide public access to services meant to remain private.

See Also: Why Cyberattackers Love 'Living Off the Land'

Salesforce said the resulting data theft and extortion campaign doesn't trace to a vulnerability in its platform. Attackers have successfully exploited guest account misconfigurations to steal an organization's Salesforce customer data.

The cybercrime collective, lately doing its illicit business under the ShinyHunters banner, has claimed credit for the campaign. The group told BleepingComputer the victims include numerous cybersecurity firms, and number between 300 and 400 organizations.

The data theft appears to tie to misconfigured rapid development framework components, called Salesforce Aura, that underpin Salesforce ...