Cybercrime Hundreds of Salesforce Customers Allegedly Targeted in New Data Theft Campaign Salesforce has confirmed that customers are being targeted via poorly secured instances. By Eduard Kovacs | March 10, 2026 (8:37 AM ET) Flipboard Reddit Whatsapp Whatsapp Email Salesforce has issued another warning to customers as the notorious ShinyHunters cybercrime group has announced a new campaign involving data theft and extortion. Since mid-2025, ShinyHunters has been targeting the Salesforce instances of many organizations using social engineering and other tactics. The incidents disclosed last year resulted in millions of data records being compromised and leaked by ShinyHunters. According to Salesforce, all the data breaches were the result of phishing , abuse of third-party integrations , or misconfigurations rather than vulnerabilities in its products or systems. In a blog post published on March 7, Salesforce warned customers about ongoing attacks leveraging misconfigurations or publicly accessible sites. “We have identified a campaign in which malicious actors are exploiting customers’ overly permissive Experience Cloud guest user configurations to potentially access more data than targeted organizations intended,” Salesforce said . Advertisement. Scroll to continue reading. “It is important to note that Salesforce remains secure, and this issue is not due to any vulnerability inherent to our platform. Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw,” it added. The company noted that the threat actor has abused a modified version of an open source tool called Aura Inspector, which Mandiant developed for auditing Salesforce Aura instances and identifying data exposures. “While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings,” Salesforce explained. While the CRM vendor has not named the threat actor, the ShinyHunters group took credit for the attack, claiming to have targeted “several hundreds of companies” as part of what it calls the ‘Salesforce Aura Campaign’. The cybercrime gang has threatened to release information stolen from companies’ Salesforce instances if they refuse to comply with their extortion demands. Related : Wynn Resorts Confirms Data Breach After Hackers Remove It From Leak Site Related : ShinyHunters-Branded Extortion Activity Expands, Escalates Related : Hackers Extorting Salesforce After Stealing Data From Dozens of Customers Written By Eduard Kovacs Eduard Kovacs (@EduardKovacs) is senior managing editor at SecurityWeek. He worked as a high school IT teacher before starting a career in journalism in 2011. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering. More from Eduard Kovacs Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited Rockwell Vulnerability Allowing Remote ICS Hacking Exploited in Attacks James ‘Aaron’ Bishop Tapped to Serve as New Pentagon CISO Data Security Firm Evervault Raises $25 Million in Series B Funding Google: Half of 2025’s 90 Exploited Zero-Days Aimed at Enterprises Russian Ransomware Operator Pleads Guilty in US Cisco Warns of More Catalyst SD-WAN Flaws Exploited in the Wild LeakBase Cybercrime Forum Shut Down, Suspects Arrested Latest News Escape Raises $18 Million to Automate Pentesting Recent Ivanti Endpoint Manager Flaw Exploited in Attacks SIM Swaps Expose a Critical Flaw in Identity Security Cylake Raises $45 Million to Secure Organizations Barred From Cloud Cybersecurity M&A Roundup: 42 Deals Announced in February 2026 ClickFix Attack Uses Windows Terminal to Evade Detection Internet Infrastructure TLD .arpa Abused in Phishing Attacks Cloned AI Tool Sites Distribute Malware in ‘InstallFix’ Campaign Trending Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Securing Fragile OT in an Exposed World March 10, 2026 Get a candid look at the current OT threat landscape as we move past "doom and gloom" to discuss the mechanics of modern OT exposure. Register Virtual Event: Supply Chain Security and Third-Party Risk Summit March 18, 2026 Join the event where top security experts unpack the biggest software supply chain risks. Register People on the Move Ed Jennings has been appointed President and CEO at Darktrace. Ironscales has appointed Steven Malone as CSO and Amit Bluman as SVP of Research & Development. Synack has appointed Angela Heindl-Schober Chief Marketing Officer. More People On The Move Expert Insights SIM Swaps Expose a Critical Flaw in Identity Security SIM swap attacks exploit misplaced trust in phone numbers and human processes to bypass authentication controls and seize high-value accounts. (Torsten George) Four Risks Boards Cannot Treat as Background Noise The goal isn’t about preventing every attack but about keeping the business running when attacks succeed. (Steve Durbin) How to Eliminate the Technical Debt of Insecure AI-Assisted Software Development Developers must view AI as a collaborator to be closely monitored, rather than an autonomous entity to be unleashed. Without such a mindset, crippling tech debt is inevitable. (Matias Madou) Security in the Dark: Recognizing the Signs of Hidden Information Security failures don’t always start with attackers, sometimes they start with missing truth. (Joshua Goldfarb) Living off the AI: The Next Evolution of Attacker Tradecraft Living off the AI isn’t a hypothetical but a natural continuation of the tradecraft we’ve all been defending against, now mapped onto assistants, agents, and MCP. (Etay Maor) Flipboard Reddit Whatsapp Whatsapp Email