The hacking group ShinyHunters has warned roughly 400 companies that it may publish stolen data online if ransom demands are not met. The group claims it accessed private records through websites built on Salesforce Experience Cloud, a platform companies use to create public portals and customer support sites.
According to earlier findings by cybersecurity firm Mandiant, the attackers targeted organisations that used Salesforce’s Experience Cloud for external-facing services such as help centres and information portals.
How the breach allegedly happened? The reported intrusion appears linked to the configuration of public access settings within these websites.
Salesforce allows websites built on Experience Cloud to include a “guest user” profile so visitors can view limited information without logging in.
If these settings are configured too broadly, however, the access permissions can expose internal data to the public internet.
Investigations suggest the attackers used a modified version of a tool called Aura Inspector to scan websites for such weaknesses.
Once vulnerabilities were identified, the hackers were able to extract information including names and phone numbers.
Security experts say the stolen data may already be fueling vishing attacks.
In such scams, attackers contact employees by phone and attempt to trick them into revealing additional confidential information.
Dispute over the root cause
There is disagreement over whether the problem stems from a software flaw or from how companies configured their systems.
Salesforce has said the platform itself remains secure and that the issue is related to customer settings rather than a vulnerability in the product.
“Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw,” the company said in a blog post.
ShinyHunters disputes that explanation, claiming it discovered a previously unknown flaw that allows it to bypass certain protections even on sites that appear properly configured.
Independent researchers have not yet verified that claim.
Pressure tactics used by hackers
ShinyHunters is known for using aggressive extortion strategies to pressure victims into paying ransom demands. The group often releases stolen data in stages to increase pressure on organisations that refuse to negotiate.
A recent example involved Dutch telecommunications provider Odido and its brand Ben. After the company declined to pay a ransom reportedly worth one million euros, the hackers began publishing large quantities of customer data on the dark web.
Security guidance for companies
Salesforce is urging customers to review their portal configurations and tighten access controls.
The company recommends applying a “least privilege” approach, meaning guest users should only have the minimum permissions required to use a site.
Businesses are also advised to keep data private by default, disable settings that expose internal staff information, and turn off public application programming interfaces where possible.
These interfaces can allow external systems to exchange data and may create additional entry points if left open.
The incident highlights the growing risks associated with misconfigured cloud services, which security analysts say have become a common target for cybercriminal groups seeking large volumes of corporate data.
