ShinyHunters Claims Snowflake, Okta, Sony, AMD, Lastpass, and Salesforce Data Compromise via Massive Salesforce Breach
Published
Key Takeaways
- Salesforce Experience Cloud: ShinyHunters claimed a large-scale data exfiltration operation affecting 100 high-profile organizations, including Salesforce itself, Snowflake, Okta, Sony, AMD, and LastPass.
- Salesforce Guest User: Threat actors exploited a critical Salesforce guest user privilege escalation vulnerability, enabling unauthorized access to protected CRM databases without authentication.
- Modified Tool: It modified a Mandiant open-source security assessment tool to facilitate automated vulnerability enumeration and circumvent platform-imposed data extraction limitations.
ShinyHunters said it stole data from almost 400 websites and approximately 100 major enterprises, including Salesforce, Snowflake, Okta, Lastpass, Sony, and AMD. The threat actors systematically targeted internet-facing Salesforce Experience Cloud implementations to extract protected customer data repositories.
Salesforce Guest User Privilege Escalation Vulnerability
The ShinyHunters Salesforce compromise did not exploit an inherent software vulnerability within the core platform architecture – the attackers leveraged a critical Salesforce guest user privilege escalation misconfiguration. A ShinyHunters spokesperson told The Register that they conducted recon and exploitation “for several months now."
Excessive permissions assigned to guest user profiles, which are designed to enable unauthenticated access to public content, would allow threat actors to directly query and extract protected CRM data objects without authentication mechanisms, Salesforce warned on Saturday.
ShinyHunters modified AuraInspector, an open-source security assessment tool originally developed by Mandiant for administrators to identify configuration weaknesses, Mandiant Consulting CTO Charles Carmakal said.
This information was confirmed by ShinyHunters, according to The Register, which added they engineered custom code modifications for vulnerability scanning procedures nd to bypass the standard 2,000-record extraction limit for guest users, and “exfiltrate all available Salesforce Object records on a vulnerable target.”
Escalating Enterprise Security Threat Landscape
In response to this security incident, Salesforce has issued guidance directing organizations to conduct immediate audits of guest user permission configurations. Immediate mitigation steps recommend users to:
- Audit guest user configurations.
- Enforce a “Least Privilege” access model.
- In Sharing Settings, ensure the Default External Access for all objects is set to Private.
- Uncheck “Allow guest users to access public APIs” in your site settings and uncheck “API Enabled” in the guest user profile’s System Permissions.
- Uncheck “Portal User Visibility” and “Site User Visibility” in Sharing Settings to prevent guest users from enumerating internal org members.
- Disable self-registration if not required.
A February Mandiant report outlined that the ShinyHunters extortion tactics, vishing, and SSO compromise target cloud environments. In late January, an Okta advisory warned that its SSO accounts were targeted in a vishing campaign that used custom Phishing-as-a-Service kits, which ShinyHunters claimed.
In November 2025, Salesforce data was stolen via third-party provider Gainsight. The breach was then claimed by ShinyHunters, which announced “almost 1,000” victims. In June 2024, a ShinyHunters member detailed how they allegedly stole Snowflake customer data.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular