ShinyHunters Claims 100 High-Profile Victims in Latest Salesforce Data Heist
ShinyHunters, a notorious extortion crew, has claimed to have stolen data from about 100 high-profile companies in its latest Salesforce customer data heist, including Salesforce itself.
What Happened?
The crew used a modified version of an open-source tool developed by Mandiant to perform mass scanning of public-facing Experience Cloud sites. Meanwhile, Salesforce has warned that a “known threat actor group” is actively scanning for and breaking into Experience Cloud sites.
Additionally, ShinyHunters abused the Mandiant-developed tool to exploit overly permissive guest user settings and extract data. However, Salesforce notes that the issue is not due to any vulnerability inherent to the Salesforce platform, but rather due to Experience Cloud sites with misconfigured guest user profiles.
How to Prevent Data Theft
To prevent data thieves from accessing sensitive data, Salesforce recommends customers immediately audit guest user permissions and enforce a least privilege access model. Therefore, users should restrict access to the absolute minimum objects and fields required.
For example, users should ensure that the default external access is set to “private” for all objects. Meanwhile, they should also uncheck “Allow guest users to access public APIs” in site settings and uncheck “API Enabled” in the guest user profile’s System Permissions.
Conclusion
In conclusion, the latest Salesforce data heist highlights the importance of securing guest user profiles and enforcing least privilege access models. Finally, users should take immediate action to audit and restrict guest user permissions to prevent data theft.
Meanwhile, Salesforce and Mandiant are working closely to provide the necessary telemetry and detection rules to mitigate potential risk. However, it is essential for customers to take proactive measures to secure their Experience Cloud sites.
Frequently Asked Questions
- What is the focus keyphrase of this article? The focus keyphrase is “Salesforce data heist”.
- How many high-profile companies were affected by the latest Salesforce data heist? About 100 high-profile companies were affected, including Salesforce itself.
- What tool did ShinyHunters use to perform mass scanning of public-facing Experience Cloud sites? ShinyHunters used a modified version of an open-source tool developed by Mandiant.
- How can customers prevent data thieves from accessing sensitive data? Customers should immediately audit guest user permissions and enforce a least privilege access model.
- What is the recommended setting for default external access? The recommended setting is “private” for all objects.








