CYBERNEWSMEDIA Network:||
CYBERNEWSMEDIA
CYBERNEWSMEDIA

Cybersecurity News, Insights & Analysis

Latest
TrueConf Zero-Day Exploited in Asian Government Attacks
In Other News: ChatGPT Data Leak, Android Rootkit, Water Facility Hit by Ransomware
Critical ShareFile Flaws Lead to Unauthenticated RCE
Mobile Attack Surface Expands as Enterprises Lose Control
React2Shell Exploited in Large-Scale Credential Harvesting Campaign
AD · 970×250

Data Breaches·Cybercrime

Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign

Salesforce has confirmed that customers are being targeted via poorly secured instances. The post Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign appeared first on SecurityWeek.

Salesforce data theft extortion

Salesforce has issued another warning to customers as the notorious ShinyHunters cybercrime group has announced a new campaign involving data theft and extortion.

Since mid-2025, ShinyHunters has been targeting the Salesforce instances of many organizations using social engineering and other tactics. 

The incidents disclosed last year resulted in millions of data records being compromised and leaked by ShinyHunters. 

According to Salesforce, all the data breaches were the result of phishing, abuse of third-party integrations, or misconfigurations rather than vulnerabilities in its products or systems.

In a blog post published on March 7, Salesforce warned customers about ongoing attacks leveraging misconfigurations or publicly accessible sites.

“We have identified a campaign in which malicious actors are exploiting customers’ overly permissive Experience Cloud guest user configurations to potentially access more data than targeted organizations intended,” Salesforce said.

“It is important to note that Salesforce remains secure, and this issue is not due to any vulnerability inherent to our platform. Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw,” it added.

The company noted that the threat actor has abused a modified version of an open source tool called Aura Inspector, which Mandiant developed for auditing Salesforce Aura instances and identifying data exposures. 

“While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings,” Salesforce explained.

While the CRM vendor has not named the threat actor, the ShinyHunters group took credit for the attack, claiming to have targeted “several hundreds of companies” as part of what it calls the ‘Salesforce Aura Campaign’.

The cybercrime gang has threatened to release information stolen from companies’ Salesforce instances if they refuse to comply with their extortion demands.

Related: Wynn Resorts Confirms Data Breach After Hackers Remove It From Leak Site

Related: ShinyHunters-Branded Extortion Activity Expands, Escalates

Related: Hackers Extorting Salesforce After Stealing Data From Dozens of Customers

Latest News

CYBERNEWSMEDIAPublisher