The cybercrime group ShinyHunters claims responsibility for an ongoing data theft campaign targeting Salesforce Experience Cloud sites, compromising 300-400 organisations—including 100 high-profile cybersecurity firms—through misconfigured guest user profiles exposing CRM data via the /s/sfsites/aura endpoint. Salesforce issued urgent advisories confirming attackers deploy a modified version of Mandiant’s open-source AuraInspector tool—originally released in January 2026 to audit access control gaps—for automated mass scanning of public-facing sites.
Charles Carmakal, Mandiant CTO, confirmed: “We are aware of a threat actor attempting to facilitate intrusions by misusing the AuraInspector open-source tool to automate vulnerability scans across Salesforce environments. Detecting scanning activity does not indicate compromise.”
GraphQL bypass and RapeForce extractor accelerate exfiltration
ShinyHunters exploited Salesforce GraphQL API’s 2,000-record query limit via the sortBy parameter for bulk data extraction of PII, financial records and internal objects, deploying custom RapeForceV2.01.39 (AGENTIC) extractor with Snowflake-mimicking user agents. Salesforce patched the sortBy bypass over the weekend, but the group claims discovering new methods affecting even “properly configured” instances using standard browser agents like Mozilla/5.0.
The campaign began September 2025, evolving AuraInspector for reconnaissance before full exfiltration.​
Salesforce attributes breaches to customer configurations
Salesforce maintains: “Salesforce remains secure; this activity relates to customer-configured guest user settings, not a platform vulnerability.” Recommendations follow Principle of Least Privilege: audit/restrict guest permissions, disable API access on guest profiles, set org-wide defaults to Private, disable Portal/Site User Visibility and self-registration, monitor Aura Event Monitoring logs for suspicious IPs/queries.
Disabling public access prevents attacks but converts portals to private sites.​
Enterprise implications and detection strategies
The incidents underscore configuration drift risks in SaaS where guest access for portals creates persistent exposure vectors, enabling vishing via enumerated internal users or mass PII harvesting. CISOs must implement automated config auditing, behavioural baselines and SIEM integration for GraphQL anomalies, treating CRM portals as high-value attack surfaces.
ShinyHunters’ high-profile cybersecurity targets suggest strategic selection for supply chain compromise or extortion leverage.
