ShinyHunters claims ongoing attacks exploiting Salesforce Aura portals to harvest enterprise data from misconfigured Experience Cloud environments.

Continue reading
A cybercriminal collective known as ShinyHunters has claimed responsibility for a new wave of attacks targeting websites built on the Salesforce ecosystem. According to recent security warnings, attackers are attempting to exploit misconfigured Salesforce Experience Cloud deployments to extract sensitive data through a specific backend API used by the platform.
The development suggests that the broader Salesforce-focused cybercrime campaign that emerged in 2025 is continuing to evolve, with attackers refining techniques to harvest data from enterprise cloud environments at scale.
Salesforce has warned customers that attackers are actively probing Experience Cloud websites where guest user permissions may be misconfigured.
Experience Cloud allows organizations to build portals for customers, partners, and communities using Salesforce data. However, if access controls are improperly configured, unauthenticated users may gain access to more information than intended.
Security teams have observed attackers targeting the following API endpoint:
/s/sfsites/auraThis endpoint is part of the Aura framework, a component-based architecture used to render dynamic user interfaces within Salesforce applications.
When misconfigured, it can expose backend data objects accessible through the application.
Threat actors are reportedly leveraging a modified version of AuraInspector, an open-source auditing tool originally developed by Google’s security firm Mandiant to help administrators identify access-control issues within Salesforce environments.
Instead of using the tool defensively, attackers appear to be repurposing it to:
Because the interaction occurs through legitimate API calls, the activity may resemble normal application traffic, making detection more difficult for traditional security monitoring systems.
The latest activity fits into a broader pattern of attacks attributed to ShinyHunters and related threat clusters targeting cloud-based SaaS platforms.
Security researchers previously linked the group to large-scale compromises of Salesforce environments at numerous organizations, including high-profile global companies.
Those attacks often relied on social engineering tactics, such as voice phishing, to trick employees into granting access to malicious applications connected to Salesforce accounts.
Once attackers obtained credentials or OAuth tokens, they were able to access and exfiltrate large datasets stored within corporate CRM systems.
In some cases, threat intelligence teams reported that attackers extracted hundreds of millions or even billions of records from compromised Salesforce environments.
Unlike conventional ransomware groups that encrypt systems, ShinyHunters typically focuses on data exfiltration and extortion.
After stealing corporate data, the group often threatens to publish the information on underground leak sites unless the victim organization pays a ransom.
This model allows attackers to monetize breaches without disrupting operations, while still applying pressure on companies concerned about reputational damage or regulatory consequences.
Enterprise cloud platforms such as Salesforce aggregate massive volumes of business data in centralized repositories.
Within a typical Salesforce deployment, organizations store:
A single compromised Salesforce instance can therefore expose entire corporate datasets, making the platform an attractive target for cybercriminal groups.
Salesforce has urged customers to review their configurations and apply stricter access controls to prevent unauthorized data exposure.
Recommended defensive measures include:
Organizations running publicly accessible portals are particularly encouraged to ensure that anonymous users cannot query backend data objects through the Aura framework.
The emergence of these attacks reflects a broader shift in cybercrime strategy toward cloud-centric data theft operations.
Rather than breaching internal networks, attackers increasingly focus on exploiting misconfigurations and identity-based weaknesses in widely used SaaS platforms.
As enterprise data continues migrating to cloud services, security experts warn that misconfigured permissions and exposed APIs may become one of the most exploited attack surfaces in modern cybercrime.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation