ShinyHunters Turned a Salesforce Audit Tool Into a Weapon—400 Companies Never Saw It Coming

When a Security Company Becomes the Breach

There is a particular kind of irony when a company that sells digital security services becomes one of the most prominent victims in a massive data breach campaign. That is exactly what happened to Aura.com, a consumer privacy and identity protection firm, which lost 921,000 email records to the ShinyHunters hacking group in a campaign that has now compromised between 300 and 400 organizations globally.

The breach did not come from a sophisticated zero day exploit or a novel attack vector. It came from something far more mundane and far more preventable: misconfigured Salesforce instances that left sensitive customer data accessible to anyone who knew where to look. ShinyHunters knew exactly where to look, and they built a tool to do it at scale.

The Campaign

The ShinyHunters campaign began in early 2026 and targeted organizations running Salesforce Experience Cloud, formerly known as Community Cloud. Experience Cloud allows companies to create customer facing portals, partner sites, and self service pages that connect directly to their Salesforce CRM data. When configured properly, these portals expose only the data that external users need. When configured improperly, they can expose entire CRM databases to unauthenticated visitors.

ShinyHunters exploited the latter scenario across hundreds of companies. The group scanned the internet for publicly accessible Experience Cloud sites and then queried the underlying Salesforce Aura API endpoint at /s/sfsites/aura to extract data from CRM objects that should never have been publicly accessible. Guest user profiles with excessive permissions allowed unauthenticated API queries to return names, email addresses, phone numbers, and other customer records.

After harvesting the data, ShinyHunters attempted to extort the affected organizations. When those extortion attempts failed, the group released the stolen data publicly on March 14, 2026.

A Defensive Tool Turned Offensive

What makes this campaign technically notable is the tool ShinyHunters used. AuraInspector is an open source auditing utility originally developed for defensive purposes. Security teams use it to test whether their Salesforce Experience Cloud deployments have misconfigured guest user permissions. It queries the Aura API endpoint and reports which CRM objects and fields are exposed to unauthenticated users.

ShinyHunters took this defensive tool and weaponized it. They modified AuraInspector to conduct mass automated scans across thousands of Experience Cloud instances, identify vulnerable configurations, and extract data at industrial scale. The same tool that security professionals use to find and fix misconfigurations became the instrument of one of the largest Salesforce related data harvesting campaigns on record.

This is not a Salesforce zero day. Salesforce itself was not compromised. The vulnerability exists entirely in how individual organizations configured their Experience Cloud deployments. Salesforce has repeatedly published guidance on securing guest user profiles, but the sheer number of affected organizations suggests that misconfiguration remains widespread.

Aura: The Ironic Victim

Among the 300 to 400 affected organizations, Aura.com stands out for obvious reasons. The company markets itself as a comprehensive digital security platform offering identity theft protection, credit monitoring, VPN services, and data breach alerts. Its customers pay specifically to be protected from the kind of data exposure that Aura itself suffered.

The 921,000 email records stolen from Aura represent a significant portion of its customer base. For a security company, the reputational damage may be more lasting than the breach itself. Customers trusted Aura with their personal information precisely because they wanted better protection. Learning that Aura's own Salesforce instance was leaking their data through a known misconfiguration pattern undermines the core value proposition of the service.

The breach also raises uncomfortable questions about vendor security posture across the industry. If a company whose entire business model is digital security cannot properly configure its own Salesforce deployment, what does that say about the state of cloud configuration management more broadly?

Data Optimized for Voice Phishing

Security researchers who analyzed the released data described it as "highly optimized for vishing," or voice phishing. The dataset is not a random dump of credentials or financial records. Instead, it contains precisely the information that social engineers need to conduct convincing phone based scams: full names, email addresses, phone numbers, and organizational affiliations.

Vishing attacks work by establishing credibility. A caller who knows your name, your company, your email address, and your direct phone number can impersonate IT support, a bank representative, or a colleague with alarming plausibility. The ShinyHunters dataset gives attackers everything they need to build these pretexts at scale.

For the individuals whose records were exposed, the risk is not hypothetical. This data is now circulating in criminal forums and will likely be used in targeted vishing campaigns for months or years to come. The combination of verified contact information and organizational context makes each record significantly more valuable to attackers than a typical leaked email and password pair.

What Organizations Should Do Now

Salesforce has issued clear guidance on mitigating the risk from Experience Cloud misconfigurations. The most impactful single change is disabling public APIs on Experience Cloud sites that do not require them. Beyond that, organizations should take the following steps:

• Audit guest user profile permissions and restrict access to only the CRM objects and fields that are strictly necessary for the portal's function.
• Disable unauthenticated data queries on all Experience Cloud deployments.
• Disable self registration features on portals where they are not actively needed.
• Run the AuraInspector tool against your own Salesforce instances to identify exposed data before attackers do.
• Review Salesforce's official security health check and address any flagged issues.

For individuals who may have been affected, the standard advice applies but is worth repeating: be deeply skeptical of unsolicited phone calls, especially from people who seem to know your personal details. Legitimate organizations will never pressure you to provide sensitive information over the phone. If someone calls claiming to be from your bank, insurance company, or IT department, hang up and call the organization directly using a number you find independently.

The Bigger Picture

The ShinyHunters Salesforce campaign is a case study in how cloud misconfigurations have become the low hanging fruit of modern cybercrime. There was no malware, no phishing email to gain initial access, no exploit chain. There was just an API endpoint that returned data it should not have, multiplied across hundreds of organizations that all made the same configuration mistake. The group has since expanded its tactics—ShinyHunters later stole 1PB of data from TELUS Digital through a chain attack exploiting stolen cloud credentials, demonstrating that misconfigured cloud services remain their preferred hunting ground.

As more business critical data moves into cloud platforms, the attack surface shifts from network perimeters and endpoint vulnerabilities to configuration management and access controls. The tools to audit these configurations exist. The guidance from platform vendors exists. What is missing, in too many organizations, is the operational discipline to implement it consistently.

ShinyHunters did not need a zero day. They just needed organizations to leave the front door open. Four hundred of them did.