ShinyHunters is running an active, large-scale extortion campaign against hundreds of organizations whose Salesforce Experience Cloud instances were misconfigured to allow unauthenticated data access. As of March 9, 2026, the group issued "final warnings" to victims; pay or be publicly named. Salesforce has confirmed the activity is real, affecting an estimated 400+ companies, while maintaining its platform code is not at fault. The misconfiguration is on the customer side. That distinction matters less than the blast radius.

What Happened

ShinyHunters began systematically scanning public-facing Salesforce Experience Cloud sites in 2025, escalating to open extortion in early 2026. In a March 9 update, the group told victims: "Reply, engage, pay a small price, and prevent a publication. Make the right decision, don't be the next headline."

The campaign targets a specific architectural flaw: Salesforce Experience Cloud allows unauthenticated visitors to share a "guest user profile." When that profile is misconfigured with excessive permissions, it allows anyone, including ShinyHunters' automated scanners, to directly query Salesforce CRM objects without logging in. No credentials needed. No exploited CVE. Just a misconfigured permission set.

Salesforce has confirmed the campaign in a public security advisory, validated the attack vector, and published remediation guidance. The company is clear: the platform itself is not compromised. But hundreds of customer orgs effectively left their CRM data facing the open internet.

What Was Taken

The full scope varies by victim, but Salesforce CRM objects typically contain:

• Customer PII: names, email addresses, phone numbers, physical addresses
• Account and opportunity data: business relationships, deal pipelines, contract values
• Case and support records: sensitive operational and legal data depending on org configuration
• Internal user metadata: org member lists, profiles, potentially internal contact details

The group is using harvested data not just for extortion but for downstream social engineering and vishing (voice phishing) campaigns, per Salesforce's own warning. This means even victims who pay aren't necessarily safe; the data is already operational.

Why It Matters

This is not a nation-state attack. It's not a zero-day. It's a financially motivated criminal group running a high-efficiency, low-friction extortion factory against enterprise Salesforce customers; and it's working.

The scale (400+ confirmed targets) and the mechanics (automated scanning with a modified Aura Inspector tool) mean this campaign will continue until the misconfiguration surface is closed. ShinyHunters has demonstrated sustained operational tempo here: they built the tooling, mapped the exposure, and now they're collecting.

For defenders, the strategic concern is this: Salesforce is the CRM backbone for most of the Fortune 500. An attacker who can enumerate guest-accessible CRM objects at scale has a pipeline into customer data, partner data, and internal business intelligence across thousands of organizations simultaneously. The extortion is the business model. The data is the inventory.

The Attack Technique

ShinyHunters modified Aura Inspector: a legitimate browser-based Salesforce debugging tool; to automate reconnaissance at scale. The workflow:

1. Discovery: Scan for public-facing Salesforce Experience Cloud sites
2. Enumeration: Use Aura Inspector to identify exposed API endpoints accessible to the guest user profile
3. Extraction: Query Salesforce CRM objects directly via the API when guest user permissions are overly permissive; no authentication required
4. Extortion: Contact affected organizations with proof of access and a payment demand

The attack requires no vulnerability in Salesforce's code. It's pure misconfiguration exploitation, automated at scale. The tooling is purpose-built for this campaign and has been operational since at least 2025.

What Organizations Should Do

Salesforce has published a detailed security advisory. These are the highest-priority actions, in order:

1. Audit Guest User Profile permissions immediately. Restrict the guest user profile to the absolute minimum objects and fields required for your site to function. This is the core fix.

2. Set Org-Wide Defaults (OWD) to Private for external access. In Sharing Settings, set Default External Access to Private for all objects. This is your blast-radius limiter.

3. Disable public API access. Uncheck "Allow guest users to access public APIs" in site settings and remove "API Enabled" from guest user System Permissions. This closes the primary exfiltration path.

4. Restrict user visibility. Uncheck "Portal User Visibility" and "Site User Visibility" in Sharing Settings to prevent guest users from enumerating org members.

5. Review Field-Level Security (FLS) for every sensitive object. Salesforce's Enhanced Personal Information Masking (EPIM) only covers the User object. Every other object with sensitive data needs FLS reviewed explicitly.

6. Assume you've been scanned. If you run a public Experience Cloud site and haven't audited guest permissions in the last 90 days, treat your org as potentially enumerated. Review Salesforce audit logs for anomalous guest user API activity going back to late 2025.

Test all changes in a Sandbox first. Tightening OWDs and guest permissions can break legitimate functionality. Understand your record access model before pushing to production.

Sources

• Salesforce Ben; "Pay Up or Become the Next Headline": ShinyHunters Threaten Hacked Salesforce Customers
• Salesforce Security Advisory; Protecting Your Data: Essential Actions to Secure Experience Cloud Guest User Access
• Cyber Daily; Best Defence: Salesforce Shares Tips to Defend Against ShinyHunters Extortion Campaign