SYS::ONLINE
Wasteland.
Briefs779
Issues14
SinceFeb 2026
LIVE
▣ Breach SHINYHUNTERS-SALES 2026-05-27

Salesforce Customers: ShinyHunters Extortion Wave

"Threat actors operating under the ShinyHunters banner have claimed a sweeping campaign against Salesforce customers, with confirmations and advisories issued by the FBI, Google Mandiant, and Salesforce itself. Between…"

Threat actors operating under the ShinyHunters banner have claimed a sweeping campaign against Salesforce customers, with confirmations and advisories issued by the FBI, Google Mandiant, and Salesforce itself. Between March and May 2026, leak-site postings escalated rapidly, with Google Threat Intelligence mapping four related clusters tagged UNC6040 through UNC6671. While actor claims include Hallmark's alleged eight million consumer records, confirmed impact includes 7-Eleven's nine-gigabyte archive and 185,300 accounts now indexed by Have I Been Pwned.

What Happened

Attackers using the ShinyHunters label expanded their public leak operations across a three-month window, dumping data attributed to multiple global enterprises. Salesforce has stated the root cause is not a flaw in its core platform but rather permissive guest profile configurations on customer-managed Experience Cloud sites. Google Mandiant's investigation traced the activity to a coordinated set of clusters using overlapping tradecraft, though analysts caution that attribution to a single crew remains uncertain. Actor forums have tagged releases as part of a "ShinyHunters Salesforce Breach wave" to attract buyers, with record counts frequently inflated to pressure victims into rapid extortion payments.

What Was Taken

Confirmed exposure includes a nine-gigabyte archive tied to 7-Eleven, which led Have I Been Pwned to list 185,300 affected accounts from that single sample. Hallmark is named in claims involving roughly eight million consumer records, though independent confirmation has not surfaced. Across the campaign, exposed data reflects CRM-resident fields accessible through public Experience Cloud sites, including customer profile information and account records that should have been gated behind authentication. The breadth of victims spans multiple sectors, and the dumps suggest attackers prioritized high-volume consumer data with downstream extortion and resale value.

Why It Matters

This campaign illustrates that the SaaS perimeter is now a configuration boundary, not a code boundary. Customers assumed Salesforce-hosted data was protected by platform controls, but liberal guest profile permissions effectively published sensitive objects to anonymous visitors. With regulators globally tightening breach-notification regimes, organizations that misconfigured Experience Cloud face dual pressure from extortion demands and statutory disclosure obligations. The campaign also normalizes a hybrid playbook combining vishing, OAuth abuse, and reconnaissance tooling, which other crews are likely to replicate against Salesforce and adjacent SaaS platforms.

The Attack Technique

Threat actors blended social engineering with automated reconnaissance. Vishing calls impersonating IT staff harvested user passwords and MFA codes, enabling attackers to approve malicious connected apps and obtain OAuth tokens that bypassed many downstream controls. Google Mandiant has characterized this sequence as a textbook credential-theft playbook. In parallel, attackers repurposed Mandiant's AuraInspector tool to crawl public Experience Cloud sites and query GraphQL endpoints, enumerating objects exposed to the unauthenticated guest profile. Where administrators had assigned overly liberal permissions, sensitive CRM fields were retrievable without any authentication, meaning the data loss stemmed from misconfiguration rather than a zero-day vulnerability.

What Organizations Should Do

  1. Audit guest user profile permissions on every Experience Cloud site and restrict access to truly public content only.
  2. Disable API and GraphQL queries for unauthenticated visitors per current Salesforce guidance.
  3. Review and revoke unused or unrecognized connected apps, and require admin approval for new OAuth grants.
  4. Enforce phishing-resistant MFA and train staff to recognize vishing impersonation of internal IT.
  5. Hunt for anomalous Salesforce logins, bulk data exports, and unfamiliar connected-app authorizations across recent months.
  6. Establish quarterly permission audits and integrate Salesforce telemetry into SIEM and SOC monitoring workflows.

Sources: ShinyHunters Salesforce Breach: Claims, Vectors, Defenses - AI CERTs News