A surge in malicious online activity is raising alarms after security experts discovered that cybercriminals are using a customized version of the AuraInspector tool to perform mass scans and data harvesting from misconfigured Salesforce Experience Cloud sites. The campaign targets organizations with lax guest user permissions, putting sensitive customer information at risk.

Key Takeaways

• Threat actors are exploiting misconfigured Salesforce Experience Cloud sites using a modified open-source tool.

• The attack does not exploit core platform vulnerabilities but rather insecure customer configurations.

• Data such as names and phone numbers are at risk and may be used for social engineering or voice phishing (vishing).

• The likely culprit is the notorious ShinyHunters group, though no official attribution has been made.

How Attackers Are Gaining Access

Salesforce Experience Cloud enables organizations to create externally facing websites for functions like customer support and knowledge bases. These sites utilize a ‘guest user’ profile to allow access to public information—however, if customers configure these profiles with excessive permissions, they could unintentionally expose sensitive internal data.

The recently observed attacks involve a specially altered AuraInspector, originally a security auditing tool for Salesforce applications. While the genuine version helps teams find access control issues, the modified variant goes a step further: it automates discovering vulnerable endpoints and actively extracts exposed data without authentication. In particular, attackers are targeting the “/s/sfsites/aura” endpoints, seeking CRM data from organizations that have inadvertently over-shared with guest users.

Risks to Organizations and Possible Impact

Organizations affected by these attacks can have confidential customer records—such as account details, contact lists, or leads—extracted without detection. The stolen information is often leveraged in follow-up campaigns involving targeted phishing or vishing schemes, boosting the likelihood of successful fraud or deeper breaches.

No inherent vulnerability in Salesforce’s core platform has been found; instead, the campaign exploits customer-side misconfigurations. The widespread usage of Experience Cloud means that hundreds of companies could be exposed if permissions are not properly managed, as attackers automate their scanning for susceptible targets.

Who Is Behind the Campaign?

Although Salesforce has not named a specific group publicly, clues suggest involvement by the notorious ShinyHunters cybercrime outfit—known for targeting Salesforce environments via third-party integrations. Reports on the dark web claim that the gang has accessed data belonging to hundreds of organizations as part of this campaign.

Steps for Organizations to Defend Themselves

Salesforce and security experts recommend urgent review and tightening of guest user permissions for all public Experience Cloud sites. Key actions include:

1. Ensuring the default external access for all objects is set to “Private.”

2. Disabling unauthenticated or guest access to APIs wherever feasible.

3. Restricting guest user profile visibility to prevent enumeration of internal organization members.

4. Disabling self-registration features if not required.

5. Monitoring access logs for large numbers of unusual queries or exports by unauthenticated profiles.

By taking these steps, organizations can drastically reduce their chances of falling victim to automated data harvesting campaigns and ward off follow-on social engineering attacks.

Sources

• Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool, The Hacker News.

• Threat actors use custom AuraInspector to harvest data from Salesforce systems, Security Affairs.