Executive Summary

On March 7, 2026, Salesforce issued a critical security advisory regarding an ongoing data theft campaign targeting its Experience Cloud product. The campaign is orchestrated by the notorious cybercrime group ShinyHunters and affects an estimated 300-400 organizations. It is crucial to understand that this is not a vulnerability in the Salesforce platform itself, but rather the exploitation of a common and severe customer-side misconfiguration. Attackers are abusing overly permissive security settings for guest user profiles on public-facing Experience Cloud sites. By leveraging these misconfigurations, ShinyHunters can query and exfiltrate sensitive CRM data directly via public APIs without needing to bypass authentication or steal credentials. The incident highlights the critical importance of proper cloud configuration and the shared responsibility model in securing SaaS platforms.

Threat Overview

The threat actor, ShinyHunters, is a well-known group famous for large-scale data breaches and selling stolen data on dark web forums. Their current campaign, dubbed the "Salesforce Aura Campaign," systematically targets misconfigured Salesforce Experience Cloud instances. The attack does not require sophisticated exploits; instead, it relies on a fundamental failure in access control configuration by Salesforce customers.

Guest user accounts in Experience Cloud are intended to provide unauthenticated access to public content. However, if administrators grant these guest profiles excessive permissions—such as read access to sensitive objects and fields—that data becomes publicly accessible to anyone who knows how to query the API. ShinyHunters automated this process to harvest data at scale.

Technical Analysis

The attack methodology is straightforward and effective:

1. Reconnaissance (T1595.002 - Vulnerability Scanning): The attackers mass-scan the internet for public Salesforce Experience Cloud sites. They identify these sites by probing for the presence of the /s/sfsites/aura API endpoint, a key component of the Lightning Aura framework.
2. Discovery (T1082 - System Information Discovery): Once a site is identified, ShinyHunters uses a modified version of AuraInspector, an open-source developer tool. The original tool was created to help admins find misconfigurations, but the attackers have weaponized it to automatically discover which data objects and fields are accessible to the public guest user.
3. Collection (T1530 - Data from Cloud Storage Object): With knowledge of the exposed data structure, the attackers make queries against the public Aura and GraphQL API endpoints. Because the guest user profile has been misconfigured with read permissions, the Salesforce platform dutifully returns the requested data, leading to mass exfiltration.

This entire process is unauthenticated. The attackers are simply interacting with the platform as any anonymous public user would, but they are programmatically accessing data that was never intended to be public.

Impact Assessment

The impact is severe and widespread. ShinyHunters claims to have compromised data from 300-400 organizations. The exfiltrated data includes sensitive CRM information, which can encompass customer PII, sales pipelines, internal communications, and other business-critical data. The Financial Industry Regulatory Authority (FINRA) has issued a specific alert, indicating that firms in the financial sector are among the victims. The stolen data is being actively used for secondary attacks, including:

• Targeted Phishing and Vishing: Attackers use the stolen data to craft highly convincing spear-phishing emails and phone calls targeting company employees and their clients.
• Extortion: ShinyHunters and other criminals can use the threat of leaking the stolen data to extort money from the affected organizations.
• Competitive Disadvantage: The loss of sensitive sales and customer data can be exploited by competitors.

Cyber Observables for Detection

Detecting this activity requires monitoring API traffic and logs for anomalous guest user behavior.

Detection & Response

• Salesforce Event Monitoring: Organizations with Salesforce Shield or Event Monitoring add-ons should immediately analyze logs. Create alerts for guest user sessions (UserType = Guest) that perform an unusually high number of API calls or access a wide variety of objects. This is a key application of D3FEND's Resource Access Pattern Analysis.
• Web Application Firewall (WAF): Configure WAF rules to rate-limit or block IPs that make an excessive number of requests to the /s/sfsites/aura or /graphql/v1 endpoints in a short period.
• Review Guest User Permissions: This is both a detection and mitigation step. Immediately audit the permissions of all guest user profiles in all Experience Cloud sites. Any access to objects beyond what is strictly necessary for public viewing should be considered an indicator of compromise.

Mitigation

This incident is entirely preventable with proper configuration. Follow Salesforce's published best practices immediately:

1. Enforce Least Privilege: Review every guest user profile and remove all View All, Modify All, Edit, and Delete permissions on all objects. Grant Read access only to the specific objects and fields that are intended to be public. This aligns with D3FEND's User Account Permissions hardening.
2. Secure Guest User Record Access: Enable the "Secure guest user record access" setting in Sharing Settings. This is a critical control that sets the default organization-wide sharing for guest users to Private.
3. Disable 'View All Users': Ensure the 'View All Users' permission is disabled for guest users to prevent them from enumerating employee lists.
4. Regular Audits: Implement a recurring process to audit guest user permissions, especially after any new site is created or major configuration change is made. Use tools like the Salesforce Optimizer to identify security risks.
5. Use Salesforce Shield: For organizations with highly sensitive data, consider implementing Salesforce Shield for real-time event monitoring, which can provide the necessary telemetry to detect anomalous guest user activity.