Overview
- Salesforce reports attackers using a customized AuraInspector tool to probe the /s/sfsites/aura endpoint and pull data from public sites with overly permissive guest access.
- Mandiant confirms its open-source auditor is being misused for automated scanning and cautions that scan activity in logs does not necessarily indicate a breach.
- ShinyHunters claims breaches at roughly 300–400 organizations and about 100 high-profile companies, including major vendors, but these claims have not been independently verified.
- The gang describes methods to bypass Salesforce’s 2,000-record GraphQL limit and the use of custom tooling, with elements of these tactics still under investigation.
- Salesforce urges least‑privilege guest settings, Default External Access set to Private, disabling guest access to public APIs and API Enabled on guest profiles, restricting visibility, monitoring logs, and turning off self‑registration if not required.