The cybercrime group ShinyHunters has reported that it has stolen data from approximately 100 high-profile companies in a recent data breach involving Salesforce customers. The group claims to have compromised data from nearly 400 websites, including notable names such as Snowflake, Okta, LastPass, Sony, and AMD.
Details of the Breach
According to ShinyHunters, the reconnaissance and exploitation phases of this campaign have been ongoing for several months. This breach follows a warning from Salesforce about a “known threat actor group” actively scanning and breaking into public-facing Experience Cloud sites. A modified version of an open-source scanning tool developed by Mandiant has been utilized in these attacks.
Salesforce’s Response
A Salesforce spokesperson stated that the issue is not due to any inherent vulnerability in the Salesforce platform but rather stems from misconfigured guest user profiles on Experience Cloud sites. These profiles, if set with overly broad permissions, can expose sensitive data. Salesforce has advised its customers to restrict guest user access to safeguard their sites and has provided guidance on how to do so.
Impact on Affected Companies
While Salesforce has not disclosed how many customers are affected, it has acknowledged the ongoing threat. ShinyHunters has a history of targeting Salesforce, having previously stolen data from hundreds of the CRM giant’s customers. A spokesperson from LastPass confirmed awareness of the campaign and indicated that they are collaborating with Salesforce to investigate the matter.
Technical Details of the Exploit
The attackers have been exploiting misconfigured guest user profiles, which allow unauthenticated users to access public pages and submit forms. If these profiles are improperly set, they can grant access to data that should remain private. Mandiant’s CTO noted that the modified tool is being used to automate vulnerability scans across Salesforce environments, although detecting such scanning does not necessarily indicate a compromise.
To mitigate risks, Salesforce recommends that customers audit guest user permissions, enforce a least privilege access model, and adjust settings to ensure that sensitive data remains protected.
This article was produced by NeonPulse.today using human and AI-assisted editorial processes, based on publicly available information. Content may be edited for clarity and style.
