ShinyHunters Claims Responsibility for Widespread Salesforce Data Theft

Salesforce has warned customers that it has identified a campaign in which threat actors are exploiting customers’ overly permissive guest user settings to potentially access more data than targeted businesses intended.

“Evidence indicates the threat actor is leveraging a modified version of the open-source tool Aura Inspector (originally developed by Mandiant) to perform mass scanning of public-facing Experience Cloud sites,” the statement read.

Although the original Aura Inspector is limited to pinpointing vulnerable objects by probing API endpoints that these sites expose, the attacker has developed a custom version of the tool that can go beyond identification to exfiltrate data.

All Eyes on ShinyHunters

In screenshots from its leak site published on X, the notorious extortion gang ShinyHunters says it breached “several hundreds” of businesses. It claims to have compromised approximately 400 websites and 100 “high-profile companies.”

This would point to ShinyHunters being the culprit, using the contact details ...