ShinyHunters Exploits Salesforce Misconfigurations in Mass Data Heist

The notorious cybercriminal group ShinyHunters has claimed responsibility for a massive data breach affecting approximately 100 high-profile companies, including Salesforce itself, Snowflake, Okta, LastPass, Sony, and AMD. According to a spokesperson for the group, the campaign has been ongoing for several months, targeting public-facing Salesforce Experience Cloud sites with misconfigured guest user permissions.

The Attack Vector

The breach exploits a fundamental misconfiguration issue within Salesforce Experience Cloud sites. These sites use a dedicated "guest user profile" that allows unauthenticated users to access public pages, FAQs, or submit forms without logging in. However, when this profile is configured with excessive permissions, it can expose sensitive data that should remain private.

ShinyHunters has modified an open-source tool originally developed by Mandiant called AuraInspector. The original tool was designed to help Salesforce administrators detect misconfigurations within the Salesforce Aura framework that could expose sensitive data. AuraInspector identifies vulnerable objects by probing API endpoints that these sites expose, specifically the /s/sfsites/aura endpoint.

ShinyHunters' modified version goes significantly further. According to the group, they "fixed Google's broken code so it can work in my use case to identify vulnerable targets, subsequently I made an entirely different tool to bypass the Guest User 2,000 limit and exfiltrate all available Salesforce Object records on a vulnerable target."

Scope and Impact

While Salesforce declined to specify exactly how many customers are affected, the company acknowledged that a "known threat actor group" is actively scanning for and breaking into public-facing Experience Cloud sites. The stolen data typically includes names, phone numbers, and other personal information that can be used for social engineering and voice phishing campaigns.

This campaign follows a pattern of attacks that ShinyHunters has conducted against Salesforce customers over the past year. The group was also responsible for the 2024 Snowflake customers' database intrusions, demonstrating their continued focus on targeting enterprise cloud services.

Technical Details

Experience Cloud sites act as portals into Salesforce CRM databases, allowing customers, partners, and employees to interact with data displayed on them. The vulnerability arises when guest user profiles are granted permissions beyond what's necessary for their intended purpose.

Mandiant Consulting CTO Charles Carmakal explained the situation: "We are aware of a threat actor attempting to facilitate intrusions by misusing the AuraInspector open-source tool to automate vulnerability scans across Salesforce environments. We are working closely with Salesforce and our customers to provide the necessary telemetry and detection rules to mitigate potential risk. It is important to note that detecting scanning activity in an organization's logs does not indicate a compromise."

Mitigation Steps

Salesforce has provided specific guidance to help customers protect their sites:

1. Audit guest user permissions immediately - Review and restrict access to the absolute minimum objects and fields required

2. Enforce least privilege access - Ensure guest users can only access what's absolutely necessary

3. Set default external access to "private" - In Setup > Sharing Settings, configure all objects to default to private access

4. Disable public API access - Uncheck "Allow guest users to access public APIs" in site settings

5. Restrict system permissions - Uncheck "API Enabled" in the guest user profile's System Permissions

6. Monitor for scanning activity - Be aware that detection of scanning in logs doesn't necessarily mean a compromise has occurred

Industry Response

Several affected companies have responded to the breach. A LastPass spokesperson stated they are "aware of this campaign" and "actively working with our contacts at Salesforce to investigate," adding there is "no evidence" that the Salesforce incident is related to last week's phishing campaign.

Salesforce itself has directed customers to its security advisory site for updates on the threat activity. The company emphasized that "this issue is not due to any vulnerability inherent to the Salesforce platform, but rather Experience Cloud sites where a guest user profile has been inadvertently configured with overly broad permissions."

Historical Context

This latest breach represents another significant victory for ShinyHunters, a group that has been active since at least 2020. The crew has developed a reputation for targeting large enterprises and stealing sensitive customer data, which they often attempt to sell or use for extortion purposes.

The group's targeting of Salesforce is particularly notable given the platform's widespread adoption among enterprise customers. With over 150,000 companies using Salesforce globally, even a small percentage of misconfigured sites represents a significant attack surface.

Security Implications

This breach highlights several important security considerations for organizations using cloud platforms:

• Configuration management is critical - Even the most secure platforms can be compromised through misconfiguration
• Third-party tools require scrutiny - Open-source security tools can be modified for malicious purposes
• Regular security audits are essential - Organizations should routinely review permissions and access controls
• Guest user profiles need careful management - Public access features must be configured with security in mind

The use of a modified Mandiant tool also raises questions about the security of open-source security tools and the potential for adversaries to weaponize defensive technologies.

Looking Forward

As organizations continue to migrate to cloud platforms and enable more public-facing features, the importance of proper configuration management cannot be overstated. This incident serves as a reminder that security is a shared responsibility between platform providers and their customers.

Salesforce customers should take immediate action to review their Experience Cloud configurations and implement the recommended security measures. Meanwhile, the broader security community will be watching to see how this incident influences future approaches to cloud security and the management of guest user permissions.

The full extent of the data stolen in this campaign remains unclear, and affected companies are likely still in the process of assessing the damage. What is certain is that ShinyHunters has once again demonstrated their ability to exploit misconfigurations at scale, potentially affecting hundreds of organizations and millions of individuals whose data may now be in the hands of cybercriminals.