Find notable cyber news and cases, enriched with sources, timelines, and signals.

ShinyHunters Salesforce Experience Cloud misconfiguration campaign

Campaign
First reported
Last updated
Happening score
H score 87
2 unique sources, 2 articles

Summary

Hide ▲

ShinyHunters is running an active Salesforce Experience Cloud campaign that exploits overly permissive guest-user settings to harvest data from hundreds of companies, increasing the risk of follow-on social engineering and vishing. The operation uses a customized version of Aura Inspector to mass-scan the /s/sfsites/aura API endpoint. Those scans identify vulnerable CRM objects and extract data from misconfigured endpoints. The harvested contact details can then support broader data theft and later targeting.

Related Happenings

ShinyHunters Oracle PeopleSoft data theft and extortion campaign

Campaign
H score60 First: 10.06.2026 21:31 Last: 10.06.2026 21:31 Sources 1

About this happening: **ShinyHunters**/**UNC6240** used **CVE-2026-35273** in **Oracle PeopleSoft Enterprise PeopleTools** as a **zero-day** to break into exposed systems, steal data, and extort victim...

Latest development: 29.06.2026 23:40

Nissan says attackers exploited an Oracle PeopleSoft vulnerability in a ShinyHunters-linked campaign and that the company was specifically targeted, with personal information for current and former employees in the United States, Canada, Mexico, and Brazil potentially exposed. Nissan says the material may include employee contact information, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary information, and the company has activated incident response, engaged external cybersecurity experts, secured affected systems, and is working with Oracle.

ShinyHunters data-theft extortion campaign targeting Salesforce customers

Campaign
H score83 First: 07.04.2026 22:39 Last: 07.04.2026 22:39 Sources 1

About this happening: The **ShinyHunters** extortion campaign is actively pressuring **numerous companies** with ransom demands tied to **stolen data**, increasing exposure for **Salesforce customers**...

Latest development: 11.05.2026 12:00

ShinyHunters' pay-or-leak campaign exposed data from Zara customers, with HaveIBeenPwned citing over 197,000 affected customers after an April 2026 incident that involved stolen Anodot authentication tokens reaching BigQuery and Snowflake, and the same operation later targeted Instructure's Canvas Learning Management System in late April 2026, affecting 8,809 users across 50 countries and aligning with other victims such as Vimeo, Rockstar Games and McGraw Hill.

ShinyHunters widespread Okta SSO data theft campaign

Campaign
H score43 First: 03.04.2026 20:41 Last: 03.04.2026 20:41 Sources 1

About this happening: **ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...

Aura hit by network compromise

Incident
H score52 First: 19.03.2026 00:56 Last: 19.03.2026 00:56 Sources 1

About this happening: **Aura** confirmed a **voice-phishing breach** that gave an unauthorized party access to customer records, exposing data tied to **20,000 current** and **15,000 former customers**...

Aura customer data exposed after Aura breach

Data Leak
H score58 First: 19.03.2026 00:56 Last: 19.03.2026 00:56 Sources 1

About this happening: Aura confirmed a **data leak** that exposed nearly **900,000 customer records**, creating privacy and phishing risk for affected customers. The exposed set included **names**, **e...

Timeline

  1. 16.04.2026 13:35 1 articles · 2mo ago

    ShinyHunters leak affects McGraw Hill Salesforce data

    Victim Impact Update

    ShinyHunters leaked data tied to McGraw Hill after breaching the company's Salesforce environment earlier this month, and McGraw Hill said the intrusion exposed a limited set of data from a webpage hosted by Salesforce on its platform while not affecting its Salesforce accounts, courseware, customer databases, or internal systems. Have I Been Pwned said more than 100GB of files later appeared publicly and contained data linked to 13.5 million accounts.

    Show sources
  2. 10.03.2026 12:00 2 articles · 4mo ago

    Salesforce warns of ShinyHunters Experience Cloud campaign

    Initial Disclosure

    Salesforce warns Experience Cloud customers to audit guest user permissions after tracking a ShinyHunters campaign that exploits overly permissive guest user settings on publicly accessible sites, mass-scans the /s/sfsites/aura API endpoint with a customized version of Aura Inspector, extracts data from misconfigured CRM objects, and uses harvested names and phone numbers for follow-on social engineering and vishing; the group also claims compromises of several hundreds of companies and around 400 websites.

    Show sources