Overview
- Salesforce issued a new security advisory noting mass scanning of public Experience Cloud sites using a modified version of Mandiant’s AuraInspector tool that can identify exposed objects at the /s/sfsites/aura endpoint and extract data from misconfigured instances.
- Mandiant confirmed threat actors are misusing AuraInspector to automate reconnaissance across Salesforce environments and cautioned that log evidence of scanning does not by itself indicate a compromise.
- ShinyHunters claims responsibility for the campaign and says it accessed data from roughly 300–400 websites and about 100 high‑profile companies, pairing the claims with extortion threats against hundreds of organizations.
- Salesforce disputes assertions of a platform vulnerability and urges immediate mitigations that include auditing guest permissions, setting Default External Access to Private, disabling guest access to public APIs, limiting user visibility, turning off self‑registration if unnecessary, and reviewing Aura Event Monitoring logs.
- Reports note harvested contact details are being used for targeted social‑engineering and vishing, and researchers say this represents a third broad attack spree tied to Salesforce customers in six months with activity widely associated with ShinyHunters though not formally attributed by Salesforce.