ShinyHunters Salesforce Experience Cloud data theft claims
Data Leak
Summary
Hide ▲
Show ▼
ShinyHunters has claimed ongoing theft of data from Salesforce Experience Cloud instances, putting exposed customer records at risk across hundreds of organizations. Salesforce says the activity relies on misconfigured guest access on public sites rather than an inherent platform vulnerability. The claimed operation uses /s/sfsites/aura targeting, modified AuraInspector, and a custom stealing tool to extract records. If accurate, the activity could affect 300-400 breached organizations and sustain repeated data extraction over time.
Related Happenings
Aura customer data exposed after Aura breach
Data Leak
First: 19.03.2026 00:56
Last: 19.03.2026 00:56
Sources 1
About this happening:
Aura confirmed a **data leak** that exposed nearly **900,000 customer records**, creating privacy and phishing risk for affected customers. The exposed set included **names**, **e...
Aura customer data exposed after Aura breach
Data LeakAbout this happening: Aura confirmed a **data leak** that exposed nearly **900,000 customer records**, creating privacy and phishing risk for affected customers. The exposed set included **names**, **e...
Aura hit by network compromise
Incident
First: 19.03.2026 00:56
Last: 19.03.2026 00:56
Sources 1
About this happening:
**Aura** confirmed a **voice-phishing breach** that gave an unauthorized party access to customer records, exposing data tied to **20,000 current** and **15,000 former customers**...
Aura hit by network compromise
IncidentAbout this happening: **Aura** confirmed a **voice-phishing breach** that gave an unauthorized party access to customer records, exposing data tied to **20,000 current** and **15,000 former customers**...
ShinyHunters Salesforce Experience Cloud misconfiguration campaign
Campaign
First: 10.03.2026 12:00
Last: 10.03.2026 12:00
Sources 1
About this happening:
ShinyHunters is running an **active** **Salesforce Experience Cloud** campaign that exploits overly permissive guest-user settings to harvest data from **hundreds of companies**,...
ShinyHunters Salesforce Experience Cloud misconfiguration campaign
CampaignAbout this happening: ShinyHunters is running an **active** **Salesforce Experience Cloud** campaign that exploits overly permissive guest-user settings to harvest data from **hundreds of companies**,...
Latest development: 16.04.2026 13:35
ShinyHunters leaked data tied to McGraw Hill after breaching the company's Salesforce environment earlier this month, and McGraw Hill said the intrusion exposed a limited set of data from a webpage hosted by Salesforce on its platform while not affecting its Salesforce accounts, courseware, customer databases, or internal systems. Have I Been Pwned said more than 100GB of files later appeared publicly and contained data linked to 13.5 million accounts.
Salesforce Experience Cloud guest-user hardening
Advisory/Mitigation
First: 10.03.2026 09:17
Last: 10.03.2026 09:17
Sources 1
How related:
Salesforce is recommending customers review their Experience Cloud guest user settings, ensure the Default External Access for all objects is set to Private, disable guest users' access to public APIs, restrict visibility settings to prevent guest users from enumerating internal organization members, disable self-registration if not required, and monitor logs for unusual queries.
About this happening:
**Salesforce** is urging **Experience Cloud** customers to harden **guest user settings** after abuse of overly permissive configurations exposed public sites to unauthorized data...
Salesforce Experience Cloud guest-user hardening
Advisory/MitigationHow related: Salesforce is recommending customers review their Experience Cloud guest user settings, ensure the Default External Access for all objects is set to Private, disable guest users' access to public APIs, restrict visibility settings to prevent guest users from enumerating internal organization members, disable self-registration if not required, and monitor logs for unusual queries.
About this happening: **Salesforce** is urging **Experience Cloud** customers to harden **guest user settings** after abuse of overly permissive configurations exposed public sites to unauthorized data...
Wynn Resorts hit by cyberattack
Incident
First: 24.02.2026 23:51
Last: 24.02.2026 23:51
Sources 1
About this happening:
**Wynn Resorts** confirmed an **employee data breach** after an unauthorized third party stole data from its systems, creating exposure risk for staff records. The company said it...
Wynn Resorts hit by cyberattack
IncidentAbout this happening: **Wynn Resorts** confirmed an **employee data breach** after an unauthorized third party stole data from its systems, creating exposure risk for staff records. The company said it...
Timeline
-
09.03.2026 19:12 2 articles · 2mo ago
Salesforce warns on misconfigured Experience Cloud access as ShinyHunters claims data theft
Initial DisclosureSalesforce warned customers that misconfigured Experience Cloud sites with excessive guest-user permissions are being targeted through the /s/sfsites/aura API endpoint, and said the activity reflects customer-configured guest settings rather than a platform security flaw. ShinyHunters claimed responsibility for Salesforce Aura/Experience Cloud data theft attacks, said it had compromised around 100 high-profile companies and 300-400 breached organizations, and described continued exploitation of a method to extract Salesforce CRM data from exposed instances.
Show sources
- ShinyHunters claims ongoing Salesforce Aura data theft attacks — www.bleepingcomputer.com — 09.03.2026 19:12
- Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool — thehackernews.com — 10.03.2026 09:17