ShinyHunters Gang Targets Salesforce Experience Cloud in Massive Extortion Spree

Threat actors don't always need a sophisticated zero-day to cause massive damage; sometimes, a simple misconfiguration is all it takes.

The notorious cybercrime collective known as ShinyHunters is currently executing a widespread data theft and extortion campaign targeting Salesforce customers. However, Salesforce has confirmed that the root cause is not a vulnerability in its platform. Instead, the attackers are ruthlessly exploiting overly permissive guest account configurations within public-facing portals.

The group claims to have already compromised between 300 and 400 organizations, including several cybersecurity firms. Here is a breakdown of how the attack works, the tools being used, and what your security team needs to do immediately.

The Attack Vector: Weaponizing "Aura Inspector"

The campaign—dubbed the "Salesforce Aura Campaign" by the threat actors—targets Salesforce Experience Cloud (formerly Community Cloud). This platform uses a rapid development framework called Salesforce Aura to connect CRM data with online portals, customer forums, and websites.

To execute the mass data theft, ShinyHunters hasn't reinvented the wheel. They have taken an open-source auditing tool and turned it into an offensive weapon.

In January 2026, Google Cloud’s Mandiant released a command-line tool called Aura Inspector, designed to help blue teams audit their Experience Cloud environments for exposed objects and fields. According to Salesforce, ShinyHunters modified this tool:

"While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints... the actor has developed a custom version of the tool capable of going beyond identification to actually extract data."

By mass-scanning for the /s/sfsites/aura API endpoint, the attackers can identify sites with overly permissive guest user settings and siphon out sensitive customer data. Mandiant CTO Charles Carmakal has confirmed that the firm is aware of the malicious use of their tool and is actively working with Salesforce to deploy telemetry and detection rules.

The Threat Actor Profile: ShinyHunters and "The Com"

This isn't the first time ShinyHunters has fixated on Salesforce-adjacent data. The group previously targeted third-party integrations, famously claiming to have stolen 1.5 billion records from organizations using the Salesloft Drift platform last year.

What Defenders Need to Know About This Group:

• A New Iteration: Experts note that this current group operating under the "ShinyHunters" banner (since 2025) has no connection to the older, legacy data extortion group of the same name.

• Part of "The Com": They are heavily intertwined with the aggressive, Western adolescent cybercrime ecosystem known as "The Com," operating under aliases like "Scattered Lapsus Hunters."

• Ruthless Tactics: According to threat intelligence firm Unit 221B, the group relies heavily on social engineering (like live-calling IT help desks) and specializes in harassment. This includes generating negative PR and even issuing death threats to senior executives of victim organizations.

Immediate Mitigation Steps for Salesforce Admins

If your organization utilizes Salesforce Experience Cloud, immediate action is required to ensure your guest accounts are properly locked down. Salesforce recommends the following urgent remediations:

1. Disable Unauthenticated Public APIs (Highest Impact): Shut down all public API use for the environment so guest accounts cannot make unauthenticated calls. This directly closes the Aura endpoint vector used by the modified Aura Inspector tool.

2. Enforce Least Privilege: Audit all guest account permissions immediately. Change default permissions to "private" so that any access granted to guest accounts must be explicitly manually enabled.

3. Deactivate Portal Visibility: Block attacker-controlled guest accounts from enumerating other users by deactivating site visibility for guest accounts.

4. Disable Self-Registration: If your portal does not strictly require users to self-register, turn this feature off. Attackers can use it to escalate a guest-tier exposure into a fully authenticated session.

The Golden Rule of Incident Response: Do Not Pay

ShinyHunters is currently listing non-paying victims on their darkweb leak site, issuing "final warnings" to apply maximum psychological pressure.

Cybersecurity experts and incident responders are unanimous in their advice: Do not engage, and do not pay. Opening communications with any entity tied to "The Com" signals that you value the stolen data, which often invites secondary extortion attempts. Furthermore, there is zero evidence that any ransomware or extortion group has ever actually deleted stolen data after receiving a payout.

The good news? Data from ransomware incident responders shows that organizations are increasingly rebuffing these mass data-theft campaigns, leading to fewer successful payouts for the attackers.