ShinyHunters Salesforce Experience Cloud misconfiguration campaign
Campaign
Summary
Hide ▲
Show ▼
ShinyHunters is running an active Salesforce Experience Cloud campaign that exploits overly permissive guest-user settings to harvest data from hundreds of companies, increasing the risk of follow-on social engineering and vishing. The operation uses a customized version of Aura Inspector to mass-scan the /s/sfsites/aura API endpoint. Those scans identify vulnerable CRM objects and extract data from misconfigured endpoints. The harvested contact details can then support broader data theft and later targeting.
Related Happenings
ShinyHunters data-theft extortion campaign targeting Salesforce customers
Campaign
First: 07.04.2026 22:39
Last: 07.04.2026 22:39
Sources 1
About this happening:
The **ShinyHunters** extortion campaign is actively pressuring **numerous companies** with ransom demands tied to **stolen data**, increasing exposure for **Salesforce customers**...
ShinyHunters data-theft extortion campaign targeting Salesforce customers
CampaignAbout this happening: The **ShinyHunters** extortion campaign is actively pressuring **numerous companies** with ransom demands tied to **stolen data**, increasing exposure for **Salesforce customers**...
Latest development: 11.05.2026 12:00
ShinyHunters' pay-or-leak campaign exposed data from Zara customers, with HaveIBeenPwned citing over 197,000 affected customers after an April 2026 incident that involved stolen Anodot authentication tokens reaching BigQuery and Snowflake, and the same operation later targeted Instructure's Canvas Learning Management System in late April 2026, affecting 8,809 users across 50 countries and aligning with other victims such as Vimeo, Rockstar Games and McGraw Hill.
ShinyHunters widespread Okta SSO data theft campaign
Campaign
First: 03.04.2026 20:41
Last: 03.04.2026 20:41
Sources 1
About this happening:
**ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...
ShinyHunters widespread Okta SSO data theft campaign
CampaignAbout this happening: **ShinyHunters** is tied to a **widespread campaign** that compromised **Okta SSO accounts** to steal data from third-party **cloud storage** and **SaaS platforms**, widening the...
Aura hit by network compromise
Incident
First: 19.03.2026 00:56
Last: 19.03.2026 00:56
Sources 1
About this happening:
**Aura** confirmed a **voice-phishing breach** that gave an unauthorized party access to customer records, exposing data tied to **20,000 current** and **15,000 former customers**...
Aura hit by network compromise
IncidentAbout this happening: **Aura** confirmed a **voice-phishing breach** that gave an unauthorized party access to customer records, exposing data tied to **20,000 current** and **15,000 former customers**...
Aura customer data exposed after Aura breach
Data Leak
First: 19.03.2026 00:56
Last: 19.03.2026 00:56
Sources 1
About this happening:
Aura confirmed a **data leak** that exposed nearly **900,000 customer records**, creating privacy and phishing risk for affected customers. The exposed set included **names**, **e...
Aura customer data exposed after Aura breach
Data LeakAbout this happening: Aura confirmed a **data leak** that exposed nearly **900,000 customer records**, creating privacy and phishing risk for affected customers. The exposed set included **names**, **e...
Salesforce Experience Cloud guest-user hardening
Advisory/Mitigation
First: 10.03.2026 09:17
Last: 10.03.2026 09:17
Sources 1
About this happening:
**Salesforce** is urging **Experience Cloud** customers to harden **guest user settings** after abuse of overly permissive configurations exposed public sites to unauthorized data...
Salesforce Experience Cloud guest-user hardening
Advisory/MitigationAbout this happening: **Salesforce** is urging **Experience Cloud** customers to harden **guest user settings** after abuse of overly permissive configurations exposed public sites to unauthorized data...
Timeline
-
16.04.2026 13:35 1 articles · 1mo ago
ShinyHunters leak affects McGraw Hill Salesforce data
Victim Impact UpdateShinyHunters leaked data tied to McGraw Hill after breaching the company's Salesforce environment earlier this month, and McGraw Hill said the intrusion exposed a limited set of data from a webpage hosted by Salesforce on its platform while not affecting its Salesforce accounts, courseware, customer databases, or internal systems. Have I Been Pwned said more than 100GB of files later appeared publicly and contained data linked to 13.5 million accounts.
Show sources
- Data breach at edtech giant McGraw Hill affects 13.5 million accounts — www.bleepingcomputer.com — 16.04.2026 13:35
-
10.03.2026 12:00 2 articles · 2mo ago
Salesforce warns of ShinyHunters Experience Cloud campaign
Initial DisclosureSalesforce warns Experience Cloud customers to audit guest user permissions after tracking a ShinyHunters campaign that exploits overly permissive guest user settings on publicly accessible sites, mass-scans the /s/sfsites/aura API endpoint with a customized version of Aura Inspector, extracts data from misconfigured CRM objects, and uses harvested names and phone numbers for follow-on social engineering and vishing; the group also claims compromises of several hundreds of companies and around 400 websites.
Show sources
- ShinyHunters Targets Hundreds of Websites in New Salesforce Campaign — www.infosecurity-magazine.com — 10.03.2026 12:00
- ShinyHunters Targets Hundreds of Websites in New Salesforce Campaign — www.infosecurity-magazine.com — 10.03.2026 12:00