ShinyHunters claims to have stolen data from roughly 100 high-profile companies including Salesforce, Snowflake, Okta, LastPass, Sony, and AMD by exploiting misconfigured guest user profiles on Salesforce Experience Cloud sites. The attackers modified AuraInspector, an open source tool originally developed by Mandiant to help admins detect Salesforce misconfigurations, turning it into an exploitation tool that bypasses guest user limits and exfiltrates CRM object records. Salesforce clarifies the issue stems from overly permissive guest user profile configurations rather than a platform vulnerability, and recommends customers audit guest user permissions, enforce least-privilege access, disable public API access for guest users, and set default external access to private.
Sort: