Cyber-crime ShinyHunters claims more high-profile victims in latest Salesforce customers data heist And they abused a Mandiant-developed open source tool in the attacks Jessica Lyons Mon 9 Mar 2026 // 18:30 UTC ShinyHunters told The Register that it has stolen data from about 100 high-profile companies in its latest Salesforce customer data heist, including Salesforce itself. "Have stolen data from almost 400 websites and about 100 essential high profile companies Snowflake, Okta, Lastpass, Salesforce itself, Sony, AMD, and a lot more," a ShinyHunters spokesperson told us, adding that the "recon and exploitation has been going on for several months now." This follows a Saturday warning from Salesforce that a "known threat actor group" is actively scanning for - and then breaking into and stealing data from - public-facing Experience Cloud sites using a modified version of a Mandiant-developed free scanning tool. A Salesforce spokesperson declined to answer The Register 's questions about the latest data-theft campaign, including how many customers are affected and if ShinyHunters is behind the illicit access. "This issue is not due to any vulnerability inherent to the Salesforce platform, but rather Experience Cloud sites where a guest user profile has been inadvertently configured with overly broad permissions," the spokesperson said, directing us and its customers to this security advisory site for updates on the threat activity. "We have provided customers with guidance to restrict guest user access to help safeguard their sites," the spokesperson added. The Register also reached out to Snowflake, Okta, LastPass, Sony, and AMD for comment, and will update this story as we hear back from them. Salesforce has been a longtime target of the extortion crew , which has stolen data from hundreds of the CRM giant's customers in a series of attacks over the past year. ShinyHunters was also the crew behind the 2024 Snowflake customers' database intrusions . It's worth noting that LastPass last week warned users of a phishing campaign that faked internal email threads. The Salesforce blog also notes that the miscreants are using a modified version of an open source tool developed by Mandiant to perform mass scanning of public-facing Experience Cloud sites. Mandiant, the Google-owned consulting and incident response biz, released this tool in January to help Salesforce admins detect misconfigurations within the Salesforce Aura framework that could expose sensitive data. The original tool identifies vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint). ShinyHunters' version, however, goes beyond this and exploits overly permissive guest user settings to extract data, according to Salesforce. Experience Cloud sites act as a portal into Salesforce CRM databases, allowing customers, partners and employees to interact with data displayed on them. Publicly accessible Salesforce Experience sites use a dedicated "guest user profile" that allows unauthenticated users to view public pages, FAQs, or submit forms without logging in. "However, if this profile is misconfigured with excessive permissions, data that is not intended to be made public may be accessible, allowing a threat actor to directly query Salesforce CRM objects without logging in," the company warned. Therein lies the issue: the attackers are using guest user profiles that have been configured to allow public access to objects and fields that should not be made publicly available , and then stealing info, such as names and phone numbers, for follow-on social engineering attacks and voice phishing campaigns, which are ShinyHunters' and its affiliate criminals' specialty. "We are aware of a threat actor attempting to facilitate intrusions by misusing the AuraInspector open-source tool to automate vulnerability scans across Salesforce environments," Mandiant Consulting CTO Charles Carmakal told The Register . "We are working closely with Salesforce and our customers to provide the necessary telemetry and detection rules to mitigate potential risk. It is important to note that detecting scanning activity in an organization's logs does not indicate a compromise." Shiny told us they abused AuraInspector in this campaign. "I fixed Google's broken code so it can work in my use case to identify vulnerable targets, subsequently I made an entirely different tool to bypass the Guest User 2,000 limit and exfiltrate all available Salesforce Object records on a vulnerable target," Shiny said. ShinyHunters 'does not like Salesforce at all,' claims the crew accessed Gainsight 3 months ago Salesforce-linked data breach claims 200+ victims, has ShinyHunters' fingerprints all over it Salesforce data missing? It might be due to Salesloft breach, Google says Take this rob and shove it! Salesforce issues stern retort to ransomware extort To prevent data thieves from accessing sensitive data, Salesforce recommends customers immediately audit guest user permissions and enforce a least privilege access model to restrict access to the absolute minimum objects and fields required. Users should also ensure that the default external access is set to "private" (in Setup > Sharing Settings) for all objects. Plus, uncheck "Allow guest users to access public APIs" in site settings and uncheck "API Enabled" in the guest user profile's System Permissions. ® Share More about Cybercrime Google Cloud SalesForce More like these × More about Cybercrime Google Cloud SalesForce Security Narrower topics 2FA Advanced persistent threat Android Application Delivery Controller App stores Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI Chrome Chromium CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Gemini Google AI Google Cloud Platform Google I/O Google Nest Google Project Zero G Suite Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security Kubernetes NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Pixel Privacy Sandbox Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance Tavis Ormandy TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust Broader topics Alphabet Search Engine More about Share POST A COMMENT More about Cybercrime Google Cloud SalesForce More like these × More about Cybercrime Google Cloud SalesForce Security Narrower topics 2FA Advanced persistent threat Android Application Delivery Controller App stores Authentication BEC Black Hat BSides Bug Bounty Center for Internet Security CHERI Chrome Chromium CISO Common Vulnerability Scoring System Cybersecurity Cybersecurity and Infrastructure Security Agency Cybersecurity Information Sharing Act Data Breach Data Protection Data Theft DDoS DEF CON Digital certificate Encryption End Point Protection Exploit Firewall Gemini Google AI Google Cloud Platform Google I/O Google Nest Google Project Zero G Suite Hacker Hacking Hacktivism Identity Theft Incident response Infosec Infrastructure Security Kenna Security Kubernetes NCSAM NCSC Palo Alto Networks Password Personally Identifiable Information Phishing Pixel Privacy Sandbox Quantum key distribution Ransomware Remote Access Trojan REvil RSA Conference Software Bill of Materials Spamming Spyware Surveillance Tavis Ormandy TLS Trojan Trusted Platform Module Vulnerability Wannacry Zero trust Broader topics Alphabet Search Engine TIP US OFF Send us news