ShinyHunters Claims 400 Companies Breached via Salesforce Aura Flaw

The notorious threat group ShinyHunters has compromised between 300 and 400 organizations through vulnerabilities in Salesforce Experience Cloud configurations, according to the group's claims and security researchers tracking the campaign. The most prominent victim is digital security firm Aura.com, with 921,000 email records exposed.

The campaign exploits misconfigured guest user permissions in Salesforce's Aura framework—not a zero-day vulnerability in the platform itself—but ShinyHunters claims they've discovered methods to bypass even "properly configured" instances.

Attack Method

ShinyHunters weaponized Aura Inspector, an open-source security auditing tool released in January 2026, to probe public-facing Experience Cloud sites. The modified tool targets the _/s/sfsites/aura API endpoint to query Salesforce CRM objects without authentication.

When guest user permissions are overly permissive, attackers can:

• Query CRM databases directly without login credentials
• Bypass the standard 2,000-record retrieval limit by manipulating sortBy parameters
• Bundle hundreds of server-side actions into single requests using "boxcarring"

The technique enables mass data extraction from organizations that failed to properly restrict what unauthenticated users can access through Experience Cloud portals.

Aura.com: The Ironic Victim

The highest-profile victim is Aura.com, a company that sells identity theft protection and digital security services. The irony isn't lost on the security community.

After failed extortion negotiations, ShinyHunters released the stolen data on March 14, 2026. By March 15, monitoring services had parsed the full dataset: 921,000 email records containing personal identifiable information.

The breach demonstrates that even security-focused organizations can fall victim to configuration errors—particularly in complex platforms like Salesforce where permissions aren't always intuitive.

100+ High-Profile Companies Affected

ShinyHunters claims to have "stolen data from around 100 high-profile companies this time around." While not all victims have been publicly identified, the group's track record suggests the claim is credible.

According to the group, "data harvested is usually names and phone numbers"—information valuable for targeted social engineering and vishing operations. Threat actors often combine data from multiple breaches to build comprehensive profiles for more convincing attacks.

This continues ShinyHunters' pattern of targeting Salesforce customers. Previous campaigns exploited Salesloft/Drift integrations and Gainsight connected apps.

Salesforce's Response

Salesforce maintains this is a customer configuration issue, not a platform vulnerability. Their guidance to customers includes:

1. Review and restrict guest user permissions (apply least privilege)
2. Disable public APIs—described as the "highest-impact single change"
3. Disable self-registration if not required
4. Monitor Aura Event Monitoring logs for unusual queries, unfamiliar IPs, and off-hours access

The response shifts responsibility to customers, which is technically accurate but frustrating for organizations that may not have understood the implications of default or loosely configured permissions.

The Configuration Challenge

This breach highlights a persistent problem in cloud security: the gap between platform capabilities and customer understanding. Salesforce Experience Cloud is a powerful tool, but its flexibility creates complexity. Organizations deploy customer portals without fully grasping what data becomes accessible to unauthenticated users.

The pattern repeats across cloud platforms. We've covered similar data exposure incidents where legitimate features were abused because of configuration oversights.

Detection and Response

Organizations using Salesforce Experience Cloud should immediately:

1. Audit guest user profiles: Verify what CRM objects unauthenticated users can query
2. Review Aura Event logs: Look for unusual object queries, high-volume requests, or unfamiliar IP addresses
3. Restrict API access: Disable public APIs unless explicitly required
4. Implement monitoring: Alert on abnormal access patterns, especially off-hours queries
5. Test configurations: Use the legitimate Aura Inspector tool to identify exposures before attackers do

For Aura.com customers specifically, the company should be issuing breach notifications with guidance on monitoring for fraud. If you use their services, assume your data may be compromised and watch for targeted phishing attempts leveraging the stolen information.

The incident serves as a reminder that understanding breach risks requires looking beyond traditional vulnerabilities. Misconfigurations in cloud platforms now represent a primary attack surface, and defense requires both technical controls and organizational awareness of how features can be abused.