“Pay Up or Become the Next Headline”: ShinyHunters Threaten Hacked Salesforce Customers
Summary
The ShinyHunters hacking group has been exploiting misconfigured guest user profiles in Salesforce Experience Cloud sites to access sensitive data from hundreds of companies. This does not stem from platform vulnerabilities but from overly permissive guest user permissions that allow unauthenticated access to restricted Salesforce CRM objects. Salesforce urges admins to apply the principle of least privilege and offers concrete recommendations to secure guest user settings, such as auditing configurations, disabling unnecessary public API access, and tightening sharing settings. Salesforce professionals should prioritize reviewing and restricting permissions on guest profiles to prevent data leaks and reduce exposure to threats like social engineering and vishing attacks.
Takeaways
- Audit guest user profiles for minimum necessary permissions.
- Set Org Wide Defaults to Private to restrict external access.
- Disable guest user access to public APIs and unnecessary system permissions.
- Uncheck portal and site user visibility to protect internal member information.
- Review and apply field-level security and enhanced personal information masking (EPIM).
The ShinyHunters hacking group is threatening to expose compromised companies, telling them to “pay a small price” or become “the next headline”. The hackers, who have been targeting hundreds of companies via their Salesforce instances since 2025 and are believed to be behind recent Experience Cloud hacks, said in a March 9 update that businesses that do not comply with their demands face a complete data leak. ‘Reply, Engage, Pay a Small Price’ Salesforce consistently stresses that its own software is not the issue when it comes to these campaigns, and Salesforce “remains secure”. The company says in a security update : “This issue is not due to any vulnerability inherent to our platform. Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw.” Salesforce has published guidance to help customers take the right action to secure their orgs.