Home / Technology / 100 Orgs Breached: Salesforce Guest User Flaw Exploited
100 Orgs Breached: Salesforce Guest User Flaw Exploited
10 Mar
Summary
- ShinyHunters claim they exploited misconfigured Salesforce permissions.
- Around 100 high-profile organizations were reportedly impacted.
- Attackers used stolen data for social engineering and phishing campaigns.
Ransomware group ShinyHunters has claimed responsibility for a data theft campaign targeting Salesforce Aura, potentially affecting around 100 prominent organizations. The attackers reportedly scanned public-facing Salesforce Experience Cloud instances starting in September 2025, utilizing a modified tool to identify portals with excessive guest user permissions.
Exploiting these misconfigurations, attackers bypassed record limits to extract sensitive Salesforce CRM data, including names and phone numbers. This information was subsequently used for social engineering and voice phishing operations. Salesforce confirmed the issue stemmed from overly broad guest user permissions, not a platform vulnerability.
ShinyHunters also indicated that reconnaissance and exploitation have been ongoing for several months. While Salesforce acknowledged the threat, they did not disclose the number of affected companies or the volume of data compromised. Some of the alleged victim organizations, including Sony and AMD, have remained silent on the matter.
