ShinyHunters and the Salesforce Experience Cloud Campaign: How Misconfigured Portals Create Supply Chain Risk

In early March 2026, a large-scale data theft and extortion campaign began targeting organizations running public-facing Salesforce Experience Cloud portals. The activity has been attributed to the cybercrime group ShinyHunters, which claims to have obtained data from hundreds of organizations and has threatened to release stolen information beginning March 14, 2026, unless victims comply with extortion demands.

Unlike many ransomware operations that focus on encrypting systems, this campaign revolves around data exposure and extraction from cloud-based customer relationship management (CRM) environments. The attackers are exploiting a combination of publicly accessible Salesforce portals, overly permissive guest user configurations, and automated reconnaissance tools to harvest sensitive information from organizations at scale.

What makes the campaign particularly significant is that it does not appear to rely on a vulnerability in Salesforce itself. Instead, the attacks take advantage of misconfigured access controls in Experience Cloud environments, allowing unauthenticated users to query backend CRM objects that were never intended to be public.

For organizations and their supply chains, the implications go far beyond Salesforce. The campaign demonstrates how a single misconfigured portal can rapidly scale into a multi-company exposure event, affecting vendors, partners, and customers simultaneously.

The Actors Behind the Campaign: ShinyHunters and Their Involvement in The SLH Supergroup

The activity attributed to ShinyHunters increasingly appears to be part of a broader threat ecosystem sometimes described as the Scattered-Lapsus$-Hunters (SLH) supergroup.

This loose alliance blends several complementary capabilities:

• Scattered Spider’s expertise in social engineering and voice phishing
  
  
• ShinyHunters’ automation and data extraction tooling
  
  
• LAPSUS$-style extortion tactics and public leak campaigns
  
  

Their goal is not simply financial gain through ransomware encryption. Instead, they focus on large-scale data theft, public exposure, and reputational pressure.

Victims frequently receive “Final Warning” notices on the group’s leak sites, threatening the public release of stolen data if payments are not made.

The actors also appear to deliberately target high-profile organizations and widely used platforms, maximizing both media attention and leverage.

Recent reporting suggests the campaign has affected hundreds of websites and potentially more than one hundred major organizations, including technology and cybersecurity companies.

This approach reflects a strategic shift in cybercrime: rather than breaching individual companies one by one, attackers increasingly target shared enterprise platforms used across entire ecosystems.

How the Salesforce Experience Cloud Vector Works

At the center of the campaign is the /s/sfsites/aura endpoint used in Salesforce Experience Cloud portals.

Experience Cloud allows organizations to build public or semi-public web portals that interact directly with Salesforce CRM data. These portals commonly support:

• Customer support portals
• Partner communities
• Knowledge bases
• Self-service workflows

Visitors accessing these portals without authentication operate under a guest user profile.

Under normal conditions, this guest profile should only have access to limited, intentionally public content.

However, when guest profiles are configured with excessive permissions, attackers can exploit the exposed API endpoints to query backend Salesforce data directly.

Threat actors have been observed using a modified version of the open-source AuraInspector tool, originally developed by Mandiant, to scan public Experience Cloud instances and identify environments where guest users have excessive access.

If the following conditions exist simultaneously, attackers can extract data without authentication:

• Guest user access enabled
• Object-level read permissions
• Field-level read permissions
• API access permitted

When these controls overlap incorrectly, attackers can query core CRM objects such as:

• Account
• Contact
• Lead
• Case

The exposed data often includes names, phone numbers, customer records, and internal business information, which can later be used for extortion, phishing, and voice-phishing campaigns.

Salesforce has emphasized that the campaign does not involve a platform vulnerability, but rather misconfigured customer environments.

The Aura Endpoint Is Only One Tool in the Arsenal

Although much of the public reporting has focused on the Aura endpoint, the SLH ecosystem has demonstrated repeatedly that Salesforce environments can be compromised through multiple pathways.

The same actor cluster has previously conducted campaigns involving:

Salesloft / Drift OAuth Compromise

In 2025, attackers stole OAuth credentials from Salesloft Drift, allowing them to connect to Salesforce instances and scrape sensitive support case data.

Gainsight Token Pivot

In another campaign, the actors compromised Gainsight authentication tokens, enabling access to the internal systems of hundreds of organizations that integrated Gainsight with Salesforce.

These incidents highlight an important point: Salesforce customers may be at risk even when their own endpoints are secured, if attackers compromise connected SaaS platforms or authentication tokens.

The Salesforce ecosystem often includes dozens of integrated applications, making it an attractive target for attackers seeking lateral movement across enterprise SaaS environments.

Speed, Automation, and Scale

Unlike traditional cyber espionage operations that move slowly and carefully, the current campaign appears to prioritize speed and scale.

Attackers are scanning large numbers of public portals and rapidly extracting accessible data using automated tools.

Because the activity relies on legitimate API endpoints, the traffic may resemble normal application behavior and may not trigger traditional web application firewall alerts.

Security researchers have observed that the group began scanning Experience Cloud environments as early as September 2025, with automation increasing in early 2026 after modifications were made to the AuraInspector tool.

This automation allows attackers to identify vulnerable environments across the internet quickly, turning isolated configuration mistakes into systemic exposure events.

Urgent Threat Update: March 14 Data Leak Deadline

As part of the campaign, ShinyHunters has issued public warnings stating that data allegedly stolen from hundreds of organizations will be released beginning March 14, 2026, unless victims engage with their extortion demands.

While such claims should always be treated cautiously until independently verified, the tactic aligns with the group’s established playbook: large-scale data theft followed by public leak threats designed to pressure victims into payment.

Even organizations that have not confirmed a breach may still face risks from downstream attacks, including phishing, impersonation, and social engineering based on exposed contact information.

Why This Matters for Third-Party Risk

For many organizations, Salesforce is not only an internal platform—it is also part of their vendor ecosystem.

Vendors may use Salesforce portals to manage:

• Customer support interactions
• Partner collaboration
• Sales operations
• CRM data exchanges

This means that even if an organization has secured its own Salesforce environment, it may still face exposure if a vendor’s portal exposes shared data.

A misconfigured portal used by a supplier or service provider could potentially expose:

• Customer contact records
• Case management data
• Business relationships
• Internal employee information

This dynamic makes the campaign particularly relevant for third-party cyber risk management programs.

How Black Kite Identified Salesforce Usage and Exposure

In response to the ShinyHunters campaign, Black Kite has evolved its detection capabilities to distinguish between general platform usage and active technical exposure. Our methodology now utilizes a two-tiered tagging system to provide a clear picture of risk across the digital supply chain.

1. Salesforce Client (Platform Usage)

This tag identifies organizations that utilize the Salesforce ecosystem. Black Kite Research Group applied multiple intelligence collection techniques, including:

• Subdomain discovery and analysis to identify Experience Cloud portals
• Detection of Salesforce instance URLs and branded community domains
• Analysis of public websites and customer testimonials referencing Salesforce deployments
• Review of cybersecurity reporting and public disclosures
• Examination of stealer log datasets, where credentials referencing Salesforce domains may indicate organizational usage
• Cross-referencing Black Kite’s proprietary digital footprint intelligence

Using this intelligence, Black Kite identified organizations likely to operate Salesforce environments and applied a Salesforce Client FocusTag™ to provide immediate visibility for risk teams.

The presence of this tag does not indicate that a breach has occurred. Instead, it signals that the organization is potentially relevant to the current threat campaign and may warrant additional review.

2. Salesforce Aura (Exposure)

In parallel with this analysis, the Black Kite Research Group has been actively developing internal detection capabilities based on the same mechanics used in the campaign. Specifically, the team is leveraging and extending the Aura Inspector methodology to systematically identify publicly exposed Salesforce Experience Cloud endpoints across the internet.

This effort focuses on detecting /s/sfsites/aura endpoints that are reachable without authentication and respond to guest-user queries. By analyzing response behavior and permission configurations, Black Kite is able to identify environments where guest users might have access to backend CRM objects. This type of analysis helps differentiate between portals that expose only intended public content and those that may unintentionally allow broader data access.

The Salesforce Aura tag is a high-fidelity indicator of a specific misconfiguration. Using a non-intrusive scanning methodology—similar to the Aura-Inspector tools used by threat actors—Black Kite identifies sites where the Aura framework is reachable by unauthenticated users.

To help risk teams prioritize remediation, we assign Confidence Levels based on the structural indicators found:

• Medium Confidence: An active Aura Endpoint exists. While guest access may be restricted, the endpoint remains a primary target for reconnaissance.
• High Confidence: Both an active Aura Endpoint and Guest Access are enabled, indicating the site is queryable by the public.
• Very High Confidence: Our scans confirm that Backend Object structures are accessible to unauthenticated queries. This provides definitive evidence that the technical barriers intended to isolate CRM objects from the internet are not functioning, creating a high-risk exposure point regardless of the specific data stored within.

By separating "who uses Salesforce" from "who has a misconfigured Aura endpoint," Black Kite allows security teams to move past general noise and focus on the vendors with the highest probability of data theft.

Combined with Black Kite’s existing internet-scale digital footprint intelligence, this research enables the identification of organizations operating potentially exposed Salesforce environments and supports the rapid tagging of relevant entities using FocusTags®. The result is actionable intelligence that helps security and third-party risk teams prioritize investigation and vendor outreach during active campaigns such as the one attributed to ShinyHunters.

From Discovery to Confirmation: The Aura-Inspector Methodology

To provide organizations with the most accurate assessment of their third-party risk, Black Kite has integrated a diagnostic methodology modeled after the open-source Aura-Inspector framework. This approach mirrors the reconnaissance techniques used by the ShinyHunters threat actor group, allowing us to identify vulnerabilities before they are exploited.

How the Discovery Process Works

Our methodology follows a non-intrusive, "zero-touch" scanning path to verify the accessibility of the Salesforce Aura framework. The process moves through three critical stages:

1. Endpoint Mapping: We first verify the existence of the /s/sfsites/aura or GraphQL endpoints. These are the primary gateways used by the Aura framework to communicate between the browser and the Salesforce backend.
2. Permission Probing: We simulate an unauthenticated "Guest User" request to these endpoints. This determines if the organization has enabled guest access—a prerequisite for the ShinyHunters' data extraction technique.
3. Structural Validation: For high-risk targets, we check if specific CRM object containers (such as Account, Contact, or Lead) respond to unauthenticated queries.

Integrity and Privacy

It is important to note that Black Kite’s methodology focuses exclusively on structural exposure. While threat actors use these tools to dump sensitive records, our scans are designed to verify only the existence and reachability of these object structures. We do not access, download, or inspect the actual content of the records.

By identifying that the "door is unlocked," we provide the necessary intelligence for remediation without ever compromising the integrity of the vendor’s data. This allows for a clinical assessment of risk: if our tools can confirm the object structures are visible to a guest, a threat actor can do the same to steal the data within.

Turning Intelligence Into Action with FocusTags®

Black Kite’s FocusTags® capability allows threat intelligence to be rapidly operationalized across vendor ecosystems.

In the context of this campaign, FocusTags® allow organizations to:

• Identify vendors that may rely on Salesforce environments
• Prioritize vendor risk assessments
• Initiate targeted vendor outreach
• Monitor related threat intelligence developments

For third-party risk management teams, this type of visibility is critical.

When attackers target a widely used enterprise platform, the key question is not simply “Are we vulnerable?”

It is also:

“Which vendors in our ecosystem might be exposed?”

Recommended Actions

For Organizations Using Salesforce (First-Party Risk)

Organizations operating Salesforce Experience Cloud or other public-facing Salesforce portals should:

Map public exposure

• Identify all internet-accessible Experience Cloud sites and community portals.

Audit guest user permissions

• Restrict guest user profiles to the minimum required objects and fields.

Disable unnecessary public API access

• Remove “API Enabled” from guest user profiles.
  
• Disable “Allow guest users to access public APIs” where possible.

Review sharing and visibility settings

• Restrict Portal User Visibility and Site User Visibility.

Disable self-registration where unnecessary

• Prevent attackers from escalating guest access to authenticated accounts.

Monitor logs for suspicious activity

• Review Aura Event Monitoring logs for abnormal query patterns or unfamiliar IP addresses.

For Organizations Managing Vendor Risk (Third-Party Risk)

Companies should also evaluate exposure across their vendor ecosystem.

Key steps include:

Identify vendors using Salesforce

• Determine whether vendors operate Experience Cloud portals.

Assess shared data exposure

• Evaluate whether vendor systems handle customer or operational data.

Initiate vendor outreach

• Request confirmation that guest access and API permissions have been reviewed.

Monitor threat intelligence

• Track ongoing developments related to Salesforce campaigns.

Prioritize high-impact vendors

• Vendors managing customer interactions or sensitive data should be assessed first.

Final Thoughts

The ShinyHunters campaign highlights a growing reality in cyber risk: major exposures increasingly originate not from sophisticated exploits but from ordinary business platforms configured in ways that unintentionally expose data.

Salesforce is only one example. Similar risks exist across many SaaS platforms used for collaboration, CRM, and customer engagement.

For security teams, the challenge is no longer just detecting malware or network intrusions. It is understanding how the technologies used across their entire ecosystem can become attack surfaces.

Campaigns like this demonstrate how quickly risk can propagate across hundreds of organizations at once.

Visibility across that ecosystem is no longer optional.
It is a prerequisite for effective third-party cyber risk management.