Salesforce Warns of ShinyHunters Group Exploiting Experience Cloud Sites

Salesforce Warns ShinyHunters: There is a serious threat campaign going on right now that is going after Experience Cloud sites that are not set up correctly This article explores sensitive information shinyhunters. . The infamous hacker group ShinyHunters has taken credit for a huge data theft operation that took advantage of guest user settings that were too open, affecting hundreds of well-known companies.

Salesforce's Cyber Security Operations Center says that this campaign does not depend on a flaw in the Salesforce platform itself. Instead, it takes advantage of mistakes made by customers. In a standard Experience Cloud setup, a guest user profile lets people who aren't logged in see public data. But when these profiles are set up wrong and have too many permissions, sensitive internal records are made public.

The threat actors are using a modified version of Aura Inspector, an open-source tool that Mandiant made for security auditing, to scan a lot of public sites at once. The standard tool can find risks of data exposure, but ShinyHunters made their own version that can actively extract data. By probing certain exposed API endpoints, attackers can directly query Salesforce CRM objects without logging in to get sensitive information.

ShinyHunters says it has hacked into up to 400 websites and about 100 well-known businesses. Follow-up targeted social engineering and voice phishing attacks are made easier by the stolen data, which often includes personal information like names and phone numbers. The group is also using its well-known extortion methods, saying that if the ransoms aren't paid, they will publish the stolen business data on dark web leak sites.

Getting to the Bottom of the Data Access Problem Salesforce uses a layered security model that includes object access, record access, field-level security, and field value masking. If any of these layers are set up too broadly for guest users, the whole chain is broken. This lets attackers get around interface restrictions and get unmasked data straight from the backend database.

Salesforce says that administrators need to immediately switch to a least privilege access model to keep their environments safe. Some important defensive actions are: Disable Public APIs: This is the change that will have the most effect. Organizations should uncheck the box that lets guest users access public APIs. This will immediately block unauthenticated queries to the targeted Aura endpoint.

Audit Guest Profiles: Check and limit guest user access to only the objects and fields that are absolutely necessary for the site to work. Set Defaults to Private: Make sure that the default setting for external object access is private so that guest users can't see records unless there are clear rules for sharing. Limit Internal Visibility: Turn off portal and site user visibility settings to stop attackers from finding out who works for your organization.

Turn off self-registration: Turn off public account creation if you don't need it. This will stop attackers from getting into your account as a guest and then getting into a real account. Companies that use Salesforce Experience Cloud need to quickly check their environments. To protect against this ongoing campaign, it's important to properly secure guest user settings.

Follow LinkedIn, Twitter, and X for daily updates on cybersecurity.

Get in touch with us to share your stories.