Full Report
Salesforce is warning customers that hackers are targeting websites with misconfigured Experience Cloud platforms that give guest users access to more data than intended. However, the ShinyHunters extortion gang claims to be actively exploiting a new bug to steal data from instances. [...]
Analysis Summary
# Incident Report: ShinyHunters Salesforce Aura Data Theft Campaign
## Executive Summary
The ShinyHunters extortion group has targeted 300–400 organizations by exploiting misconfigured Salesforce Experience Cloud (formerly Community Cloud) platforms. The attacks leverage excessive "Guest User" permissions to query sensitive CRM objects via the `/s/sfsites/aura` API endpoint. While Salesforce maintains the platform is secure, the threat actor claims to have found methods to bypass query limits and potentially access even "properly configured" instances.
## Incident Details
- **Discovery Date:** January 2026 (Following release of Mandiant's AuraInspector)
- **Incident Date:** Ongoing since September 2025
- **Affected Organization:** 300 to 400 organizations (unnamed), including high-profile cybersecurity firms.
- **Sector:** Cross-sector, notably Cybersecurity
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** September 2025
- **Vector:** Exploitation of misconfigured guest user profiles and excessive API permissions.
- **Details:** Attackers scanned the internet for the `/s/sfsites/` endpoint to identify Salesforce Experience sites allowing unauthenticated guest access to CRM objects.
### Lateral Movement
- **Details:** Not applicable in the traditional network sense; the attackers moved "horizontally" across different CRM objects and data tables accessible via the exposed Aura/GraphQL APIs.
### Data Exfiltration/Impact
- **Details:** Mass extraction of CRM data. Attackers initially used the `sortBy` parameter to bypass a 2,000-record query limit. After Salesforce patched that specific trick, the attackers claimed to have discovered a new bypass to continue high-volume exfiltration.
### Detection & Response
- **Discovery:** Increased activity was noted following the release of an auditing tool in January 2026. Salesforce observed mass scanning using a modified version of Mandiant’s AuraInspector.
- **Response Actions:** Salesforce issued a security advisory on March 9, 2026, and patched known query limit bypasses.
## Attack Methodology
- **Initial Access:** Misconfigured Guest User permissions on Experience Cloud sites.
- **Persistence:** Not required; the attack focuses on direct API exploitation of public-facing endpoints.
- **Privilege Escalation:** Leveraging "API Enabled" settings on guest profiles to query objects intended for internal users.
- **Defense Evasion:** Use of rotated user agents; one tool utilized a legitimate-looking Chrome user agent string.
- **Credential Access:** N/A (unauthenticated access).
- **Discovery:** Mass scanning for `/s/sfsites/` and `/s/sfsites/aura` endpoints; use of modified AuraInspector tool.
- **Lateral Movement:** N/A.
- **Collection:** Automated queries against Salesforce CRM objects via GraphQL API.
- **Exfiltration:** High-volume data theft using custom tools ("RapeForceV2.01.39").
- **Impact:** Massive data breach and potential extortion of 300+ companies.
## Impact Assessment
- **Financial:** Potential for significant extortion demands and regulatory fines (GDPR/CCPA).
- **Data Breach:** High-volume theft of CRM data, potentially including PII, customer lists, and internal records.
- **Operational:** Low direct disruption; primarily a data confidentiality incident.
- **Reputational:** High for affected cybersecurity firms exposed by a known extortion group.
## Indicators of Compromise
- **Network indicators:**
- Traffic to hxxps[:]//[subdomain].force.com/s/sfsites/aura
- **File indicators:** Modified versions of Mandiant's "AuraInspector" tool.
- **Behavioral indicators:**
- Unusual User-Agent string: `Anthropic/RapeForceV2.01.39 (AGENTIC)`
- High-frequency GraphQL queries from unfamiliar IP addresses.
- Large-scale use of the `sortBy` parameter in API calls.
## Response Actions
- **Containment:** Salesforce disabled the known `sortBy` query limit bypass.
- **Eradication:** Advising customers to audit and restrict Guest User permissions.
- **Recovery:** Organizations are instructed to review Aura Event Monitoring logs for evidence of unauthorized data access.
## Lessons Learned
- **Configuration as a Vulnerability:** Platform security (Salesforce) does not guarantee data security if customer-facing configurations are overly permissive.
- **Tool Dual-Use:** Defensive auditing tools (like AuraInspector) can be quickly weaponized by threat actors for reconnaissance.
- **Limit Bypasses:** Default API limits should be enforced server-side without reliance on client-side parameters that can be manipulated (e.g., `sortBy`).
## Recommendations
- **Disable Guest API Access:** Remove "API Enabled" permissions from all Guest User profiles unless strictly necessary.
- **Enforce Least Privilege:** Set organization-wide defaults to "Private" for external access.
- **Visibility Restrictions:** Turn off "Portal User Visibility" and "Site User Visibility" to prevent enumeration.
- **Monitoring:** Implement alerting for high-volume queries against the Aura/GraphQL endpoints, specifically looking for unauthenticated (guest) sessions.
- **Disable Public Access:** If a public-facing site is not required, disable "Public Access" to convert the instance into a private portal.