ShinyHunters claims breach of 400 companies via cloud misconfigurations. ๐
Data Theft Alert ยท Exploitation of overly permissive Experience Cloud guest users.
The ShinyHunters hacking group claims to have compromised roughly 400 companies by exploiting insecure guest user configurations on @[Salesforce](urn:li:organization:1509) Experience Cloud sites. @[Mandiant](urn:li:organization:264848) has confirmed that attackers are using a modified version of the AuraInspector tool to perform mass scans for vulnerable sites.
By bypassing record-query limitations, attackers have been siphoning sensitive data from public-facing portals since late 2025. This campaign specifically targets organizations that have not restricted guest user visibility or disabled self-registration features on their cloud sites.
The uncomfortable truth: Your cloud collaboration platforms are the new primary frontier for mass data exfiltration if your default permissions are not set to Private.
โ Review and restrict @[Salesforce](urn:li:organization:1509) Experience Cloud guest user permissions immediately.
โ Uncheck ‘Portal User Visibility’ and ‘Site User Visibility’ in Sharing Settings to prevent member enumeration.
โ Disable self-registration if your site does not require unauthenticated visitors to create accounts.
Have you audited your public cloud portal configurations for overly permissive guest access this month? ๐
#Cybersecurity #CloudSecurity #Salesforce #DataBreach #SOC #CodeDefence