What began as a security research project to help Salesforce administrators find configuration gaps has become one of the most wide-reaching cloud data theft campaigns of 2026. The hacking group ShinyHunters has claimed responsibility for breaching between 300 and 400 organizations by exploiting misconfigured Salesforce Experience Cloud portals — using a modified version of an open-source auditing tool originally released to protect those same environments.

On March 10, 2026, Salesforce’s Cybersecurity Operations Center (CSOC) confirmed it had detected an active campaign in which a known threat actor group was mass-scanning public-facing Experience Cloud sites. The company confirmed attackers were deploying a weaponized variant of AuraInspector — a command-line interface tool developed by Google’s Mandiant division and released in January 2026 — to identify and exploit overly permissive guest user configurations.

The Root Cause: Misconfiguration, Not a Platform Bug

Salesforce has been unequivocal: the platform itself has not been compromised. “Salesforce remains secure, and this issue is not due to any vulnerability inherent to our platform,” the company stated in its advisory. The exposure arises when administrators grant Salesforce’s guest user profile — a built-in account designed for unauthenticated public visitors — excessive permissions over CRM objects such as Accounts, Contacts, and Leads.

Experience Cloud portals serve as public-facing windows into a company’s Salesforce CRM data, enabling customers, partners, and employees to interact with records through a browser. Publicly accessible portals rely on the guest user profile to handle unauthenticated requests. If that profile is misconfigured with overly broad API access or object-level permissions, attackers can query and retrieve internal CRM records without ever logging in.

The Attack Surface: Aura Endpoints and GraphQL

Salesforce’s “Aura” framework underpins the standard Lightning Experience UI. Aura endpoints — most notably the /s/sfsites/aura API path — allow the frontend to retrieve backend data by calling server-side methods. When the guest user profile is misconfigured, these endpoints effectively become unauthenticated data access points.

Mandiant’s prior research, which informed the development of AuraInspector, identified several specific techniques attackers can use once a misconfigured endpoint is found. The getConfigData method returns a full list of backend database objects. The getItems method retrieves records for accessible objects — normally capped at 2,000 records per query. Attackers found they could bypass this limit by manipulating the sortBy parameter, alternating between ascending and descending sort orders to retrieve additional batches. Salesforce’s GraphQL API offered a further avenue: using cursor-based pagination, all records associated with a given object can be extracted in successive 2,000-record batches.

From Defensive Tool to Offensive Weapon

On January 13, 2026, Mandiant published AuraInspector to help administrators proactively identify their own exposure. The tool automates checks for common misconfigurations in the Aura framework: excessive guest user permissions, improperly enabled self-registration, exposed record lists, and unauthenticated access to management panels surfaced by Marketplace application installations. Critically, the public release did not include any record extraction capability — Mandiant deliberately omitted this to prevent misuse.

ShinyHunters, however, modified the tool’s code after its release. According to statements the group made to BleepingComputer, the hackers had already been targeting misconfigured Experience Cloud portals since September 2025 — scanning for exposed /s/sfsites/ endpoints and quietly exfiltrating data. When AuraInspector was released publicly in January, the group repurposed it to dramatically accelerate and automate their reconnaissance, before using a separate, undisclosed custom tool to extract the actual data.

Mandiant’s CTO Charles Carmakal confirmed the misuse in statements to multiple outlets: “We are aware of a threat actor attempting to facilitate intrusions by misusing the AuraInspector open-source tool to automate vulnerability scans across Salesforce environments. We are working closely with Salesforce and our customers to provide the necessary telemetry and detection rules to mitigate potential risk.”

Carmakal added an important caveat: “It is important to note that detecting scanning activity in an organization’s logs does not indicate a compromise.”

Claimed Victims and the Extortion Play

ShinyHunters posted their claim on their data leak site, listing roughly 100 high-profile companies as confirmed victims — many of them in the cybersecurity industry itself. They told BleepingComputer that the total count of affected organizations, including smaller companies, sits somewhere between 300 and 400. The stolen data — primarily names and phone numbers — is being held for ransom, consistent with the group’s established extortion model: pay, or the data gets published.

Named companies cited by the group include:

Most named companies have not commented publicly. LastPass confirmed to reporters that it is “actively working with contacts at Salesforce to investigate,” while adding there is “no evidence” linking the Salesforce incident to a separate phishing campaign that occurred the same week. Notably, Google’s own security team — which includes Mandiant — has since revealed it was also affected by ShinyHunters’ broader SSO-focused campaign, though Google has not specifically confirmed Salesforce exposure.

The stolen information is of particular concern because ShinyHunters’ preferred follow-on tactic is voice phishing (vishing) and social engineering. Names and phone numbers extracted from CRM records provide the raw material for convincing impersonation attacks targeted at employees of breached organizations.

How the Attack Unfolded — A Timeline

Context: ShinyHunters’ Escalating Cloud Targeting

ShinyHunters is no newcomer. The group first emerged in 2020 and has been linked to dozens of major breaches since. In 2024, they were behind the mass exfiltration of data from Snowflake customer databases — a campaign that compromised hundreds of organizations and led to major downstream breaches. They have also previously targeted Salesforce customers through third-party integrations, including Salesloft/Drift and Gainsight. This latest campaign represents a significant tactical evolution: rather than compromising a single vendor’s credentials, the group is now systematically scanning for misconfigured platform deployments across an entire customer base.

What Salesforce Administrators Must Do Now

Salesforce’s CSOC advisory, corroborated by Mandiant’s earlier research, specifies a series of concrete steps organizations must take to assess and close their exposure.

• Audit guest user permissions immediately. Review the guest user profile across all Experience Cloud sites. Apply the principle of least privilege — guest users should only have read access to objects and fields explicitly required for public-facing features.
• Set default external access to “Private”. Change your organization-wide default sharing settings so that CRM objects are not accessible externally unless explicitly shared.
• Disable guest access to public APIs. Remove the “API Enabled” permission from guest user profiles. Unauthenticated users should not have the ability to make API calls against your Salesforce instance.
• Fully disable self-registration if not in use. Mandiant has documented cases where administrators removed the self-registration link from the login page but left the backend feature enabled. Verify the feature itself — not just the link — is turned off via LoginFormController settings.
• Run Salesforce’s Security Health Check. Use the built-in Security Health Check tool within Salesforce to identify deviations from Salesforce’s recommended security baseline.
• Run AuraInspector (the legitimate version) in your environment. The original Mandiant-published tool is available on GitHub and will help identify misconfigured Aura endpoints. Detecting scanning activity in your logs is not confirmation of a breach — but it is a signal to investigate immediately.
• Review Marketplace-installed application pages. Some pages are automatically created by AppExchange installations and may not be tracked manually. Audit all public-accessible pages across your Experience Cloud sites.

This article reflects information available as of March 12, 2026, and will be updated as new details emerge. Sources include Salesforce’s official CSOC advisory, Mandiant’s published research, and reporting from BleepingComputer, The Register, Help Net Security, and IT Pro.