Salesforce issues customer alert as ShinyHunters group claims Experience Cloud breach

Salesforce has issued a warning over an ongoing campaign targeting customers using misconfigured Experience Cloud platforms.

In an advisory last week, the CRM giant said a “known threat actor group” has been observed using a modified malicious version of the AuraInspector tool, which as part of the Salesforce Aura framework to identify security misconfigurations in Experience Cloud sites.

Originally developed by Mandiant, threat actors are using the open source tool to “perform mass scanning of public-facing Experience Cloud sites” and extract data.

“While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose (specifically the /s/sfsites/aura endpoint), the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings,” the company said.

Salesforce emphasized that the incident was not caused by a “vulnerability inherent to our platform”, but instead due to a customer-configured guest user setting.

This is because an exposed Salesforce Experience site accepts guest user profiles to provide access to publicly available data.

However, the company noted that misconfigured profiles with excessive permissions could allow a threat actor to “directly query Salesforce CRM objects” without logging in.

Charles Carmakal, CTO at Mandiant, said the company is aware of the AuraInspector misuse and is working with Salesforce to mitigate risks.

“We are aware of a threat actor attempting to identify misconfigurations within the Salesforce Experience Cloud instances,” he told ITPro.

“We are working closely with Salesforce and our customers to provide the necessary telemetry and detection rules to mitigate potential risk."

ShinyHunters claims responsibility

The “known threat actor group” cited by Salesforce appears to be ShinyHunters, with the group claiming responsibility for the attacks.

According to reports from The Register, the threat group claims to have stolen data from upwards of 400 websites and around 100 “essential high profile companies”.

Companies cited by the group included Snowflake, LastPass, Okta, AMD, and Salesforce. The group told the publication that the campaign has been ongoing “for several months now”.

What can Salesforce customers do?

In its advisory, Salesforce detailed a number of steps customers can take to mitigate potential risks, including:

• Enforcing a “least privilege” access model
• Conduct an audit of guest user permissions
• Set Org Wide Defaults to “Private”
• Switch off portal user visibility and site user visibility

Salesforce also advised customers to disable self-registration unless explicitly required. This is because guest data can be used to create portal accounts, thereby enabling “broader data access”.

“In addition to checking for unusual query volumes, review your Aura Event Monitoring logs for anomalous access patterns — such as queries targeting objects not intended to be public, unexpected spikes from unfamiliar IP addresses, or access outside normal business hours,” Salesforce said.

“If you suspect your environment may have been affected, contact Salesforce Support and complete the guest user audit steps outlined above rather than relying on log volume alone.”

FOLLOW US ON SOCIAL MEDIA

Make sure to follow ITPro on Google News to keep tabs on all our latest news, analysis, and reviews.

You can also follow ITPro on LinkedIn, X, Facebook, and BlueSky.