Full Report
And they abused a Mandiant-developed open source tool in the attacks ShinyHunters told The Register that it has stolen data from about 100 high-profile companies in its latest Salesforce customer data heist, including Salesforce itself.…
Analysis Summary
# Incident Report: ShinyHunters Abuse of Salesforce Guest User Misconfigurations
## Executive Summary
The threat actor group "ShinyHunters" has targeted approximately 100 high-profile organizations by exploiting misconfigured Salesforce Experience Cloud sites. By abusing a modified version of Mandiant’s "AuraInspector" tool, the attackers identified and exfiltrated sensitive data from CRM objects exposed through overly permissive guest user profiles. The stolen data, including names and phone numbers, is being leveraged for follow-on social engineering and voice phishing attacks.
## Incident Details
- **Discovery Date:** Early March 2026 (Publicly acknowledged March 7-9, 2026)
- **Incident Date:** Ongoing; "several months" prior to discovery
- **Affected Organization:** Approximately 100 organizations including Salesforce, Snowflake, Okta, LastPass, Sony, and AMD.
- **Sector:** Technology, Entertainment, and Financial Services
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** Ongoing (dating back several months)
- **Vector:** Exploitation of misconfigured guest user profiles on public-facing Experience Cloud sites.
- **Details:** Attackers targeted the `/s/sfsites/aura` endpoint to probe for vulnerable Salesforce Aura framework configurations.
### Lateral Movement
- **Details:** The attack does not appear to involve traditional lateral movement within an internal network; instead, it focuses on direct querying of Salesforce CRM objects (e.g., Lead, Contact, Account records) that were inadvertently made public through API access.
### Data Exfiltration/Impact
- **Details:** Extraction of sensitive CRM data, specifically names, phone numbers, and other record details. ShinyHunters claims to have bypassed the standard 2,000-record limit for guest users to perform mass exfiltration.
### Detection & Response
- **Detection:** Identified through active scanning patterns and the misuse of the Mandiant AuraInspector tool.
- **Response Actions:** Salesforce issued a security advisory and blog post providing guidance on auditing guest user permissions. Mandiant released detection rules and telemetry to assist customers in identifying scanning activity.
## Attack Methodology
- **Initial Access:** Misconfigured "Guest User Profiles" on Salesforce Experience Cloud sites.
- **Persistence:** Not applicable; the attack relies on continuous unauthorized API polling/querying rather than malware installation.
- **Privilege Escalation:** Exploiting overly broad object-level permissions granted to unauthenticated (guest) users.
- **Defense Evasion:** Use of a modified versions of a legitimate administrative tool (AuraInspector) to blend in with potential security audits.
- **Credential Access:** None required (unauthenticated access).
- **Discovery:** Mass scanning of Aura endpoints using modified open-source tools.
- **Lateral Movement:** N/A (Direct cloud object access).
- **Collection:** Automated querying of Salesforce CRM objects via API.
- **Exfiltration:** Large-scale extraction of object records using a custom tool designed to bypass the 2,000-record guest limit.
- **Impact:** Data theft intended for secondary social engineering and vishing campaigns.
## Impact Assessment
- **Financial:** Unknown; potential for significant remediation costs and regulatory fines.
- **Data Breach:** Compromise of CRM data (names, phone numbers) across ~100 high-profile victims.
- **Operational:** Low direct business disruption, but high downstream risk of targeted phishing.
- **Reputational:** High public impact due to the prominent nature of the victim organizations.
## Indicators of Compromise
- **Behavioral Indicators:**
- High-volume requests to the `hxxps://[subdomain].force.com/s/sfsites/aura` endpoint.
- Large-scale querying of CRM objects by unauthenticated guest users.
- User-agent strings or traffic patterns associated with a modified Mandiant AuraInspector tool.
## Response Actions
- **Containment:** Salesforce recommended unchecking "Allow guest users to access public APIs" and "API Enabled" in guest profiles.
- **Eradication:** Instructed customers to audit all guest user permissions and restrict access to the absolute minimum objects required.
- **Recovery:** Enforcement of the "Least Privilege" access model and setting default external access to "Private" for all objects.
## Lessons Learned
- **Security Tool Dual-Use:** Defensive tools (like AuraInspector) can be quickly inverted by attackers to automate exploitation.
- **Default Permissions:** Relying on default configurations for public-facing cloud portals represents a significant risk; "Guest" profiles should always be treated as untrusted.
- **Limit Bypass:** Attackers continue to find creative technical workarounds for platform-imposed data export limits (e.g., the 2,000-record limit).
## Recommendations
- **Audit Guest Access:** Immediately review Enterprise Cloud "Guest User Profiles" for any enabled permissions on sensitive CRM objects.
- **Hardening:** Disable "API Enabled" permissions for all guest profiles unless strictly necessary for business functions.
- **Monitoring:** Implement monitoring for unusual volumes of guest API traffic or queries against sensitive objects like `Contacts`, `Leads`, or `Users`.
- **Zero Trust:** Apply the Principle of Least Privilege (PoLP) by setting Default External Access to "Private" for all objects in Salesforce Sharing Settings.