ShinyHunters Salesforce Experience Cloud misconfiguration campaign
Campaign
Summary
Hide ▲
Show ▼
ShinyHunters is running an active Salesforce Experience Cloud campaign that exploits overly permissive guest-user settings to harvest data from hundreds of companies, increasing the risk of follow-on social engineering and vishing. The operation uses a customized version of Aura Inspector to mass-scan the /s/sfsites/aura API endpoint. Those scans identify vulnerable CRM objects and extract data from misconfigured endpoints. The harvested contact details can then support broader data theft and later targeting.
Related Happenings
ShinyHunters Oracle PeopleSoft data theft and extortion campaign
Campaign
H score60
First: 10.06.2026 21:31
Last: 10.06.2026 21:31
Sources 1
About this happening:
**ShinyHunters**/**UNC6240** used **CVE-2026-35273** in **Oracle PeopleSoft Enterprise PeopleTools** as a **zero-day** to break into exposed systems, steal data, and extort victim...
ShinyHunters Oracle PeopleSoft data theft and extortion campaign
CampaignAbout this happening: **ShinyHunters**/**UNC6240** used **CVE-2026-35273** in **Oracle PeopleSoft Enterprise PeopleTools** as a **zero-day** to break into exposed systems, steal data, and extort victim...
Latest development: 29.06.2026 23:40
Nissan says attackers exploited an Oracle PeopleSoft vulnerability in a ShinyHunters-linked campaign and that the company was specifically targeted, with personal information for current and former employees in the United States, Canada, Mexico, and Brazil potentially exposed. Nissan says the material may include employee contact information, banking information, Social Security numbers, Social Insurance Numbers, National Identification Numbers, financial and tax information, and dependent and beneficiary information, and the company has activated incident response, engaged external cybersecurity experts, secured affected systems, and is working with Oracle.
ShinyHunters data-theft extortion campaign targeting Salesforce customers
Campaign
H score83
First: 07.04.2026 22:39
Last: 07.04.2026 22:39
Sources 1
About this happening:
The **ShinyHunters** extortion campaign is actively pressuring **numerous companies** with ransom demands tied to **stolen data**, increasing exposure for **Salesforce customers**...
ShinyHunters data-theft extortion campaign targeting Salesforce customers
CampaignAbout this happening: The **ShinyHunters** extortion campaign is actively pressuring **numerous companies** with ransom demands tied to **stolen data**, increasing exposure for **Salesforce customers**...
Latest development: 11.05.2026 12:00
ShinyHunters' pay-or-leak campaign exposed data from Zara customers, with HaveIBeenPwned citing over 197,000 affected customers after an April 2026 incident that involved stolen Anodot authentication tokens reaching BigQuery and Snowflake, and the same operation later targeted Instructure's Canvas Learning Management System in late April 2026, affecting 8,809 users across 50 countries and aligning with other victims such as Vimeo, Rockstar Games and McGraw Hill.
ShinyHunters widespread Okta SSO data theft campaign
Campaign
H score43
First: 03.04.2026 20:41
Last: 03.04.2026 20:41
Sources 1
About this happening:
**ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...
ShinyHunters widespread Okta SSO data theft campaign
CampaignAbout this happening: **ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...
Aura hit by network compromise
Incident
H score52
First: 19.03.2026 00:56
Last: 19.03.2026 00:56
Sources 1
About this happening:
**Aura** confirmed a **voice-phishing breach** that gave an unauthorized party access to customer records, exposing data tied to **20,000 current** and **15,000 former customers**...
Aura hit by network compromise
IncidentAbout this happening: **Aura** confirmed a **voice-phishing breach** that gave an unauthorized party access to customer records, exposing data tied to **20,000 current** and **15,000 former customers**...
Aura customer data exposed after Aura breach
Data Leak
H score58
First: 19.03.2026 00:56
Last: 19.03.2026 00:56
Sources 1
About this happening:
Aura confirmed a **data leak** that exposed nearly **900,000 customer records**, creating privacy and phishing risk for affected customers. The exposed set included **names**, **e...
Aura customer data exposed after Aura breach
Data LeakAbout this happening: Aura confirmed a **data leak** that exposed nearly **900,000 customer records**, creating privacy and phishing risk for affected customers. The exposed set included **names**, **e...
Timeline
-
16.04.2026 13:35 1 articles · 2mo ago
ShinyHunters leak affects McGraw Hill Salesforce data
Victim Impact UpdateShinyHunters leaked data tied to McGraw Hill after breaching the company's Salesforce environment earlier this month, and McGraw Hill said the intrusion exposed a limited set of data from a webpage hosted by Salesforce on its platform while not affecting its Salesforce accounts, courseware, customer databases, or internal systems. Have I Been Pwned said more than 100GB of files later appeared publicly and contained data linked to 13.5 million accounts.
Show sources
- Data breach at edtech giant McGraw Hill affects 13.5 million accounts — www.bleepingcomputer.com — 16.04.2026 13:35
-
10.03.2026 12:00 2 articles · 4mo ago
Salesforce warns of ShinyHunters Experience Cloud campaign
Initial DisclosureSalesforce warns Experience Cloud customers to audit guest user permissions after tracking a ShinyHunters campaign that exploits overly permissive guest user settings on publicly accessible sites, mass-scans the /s/sfsites/aura API endpoint with a customized version of Aura Inspector, extracts data from misconfigured CRM objects, and uses harvested names and phone numbers for follow-on social engineering and vishing; the group also claims compromises of several hundreds of companies and around 400 websites.
Show sources
- ShinyHunters Targets Hundreds of Websites in New Salesforce Campaign — www.infosecurity-magazine.com — 10.03.2026 12:00
- ShinyHunters Targets Hundreds of Websites in New Salesforce Campaign — www.infosecurity-magazine.com — 10.03.2026 12:00