Cloud platforms have become central to how modern businesses operate, especially when it comes to managing customer relationships, internal communication, and support workflows. For many organizations, these operations depend heavily on Salesforce, which serves as the primary system for storing customer records, managing support cases, and tracking sales activity. While the platform provides strong infrastructure security, the way organizations configure access permissions inside their environments can significantly influence the overall security posture.

A cybercrime group known as ShinyHunters has recently claimed that it is conducting ongoing data theft operations targeting companies that use Salesforce Experience Cloud portals built with the Aura Framework. According to security researchers who have examined these claims, the attacks appear to rely on misconfigured portal permissions rather than on a vulnerability in Salesforce software itself.

This distinction is important because it highlights a broader issue in cloud security. Even when the underlying platform is secure, incorrect configuration of user permissions can expose sensitive information. In environments that store large volumes of customer and business data, these configuration mistakes can lead to serious consequences.

TL;DR

• The cybercrime group ShinyHunters claims it is actively stealing data from Salesforce portals built using the Aura framework.
• The attacks reportedly exploit misconfigured guest access permissions in Salesforce Experience Cloud portals.
• Attackers may be able to query backend APIs and retrieve sensitive CRM records if permissions are not properly restricted.
• Hundreds of organizations could potentially be affected if their portals allow excessive public access.
• Security teams should immediately review guest permissions, API exposure, and portal security settings.

Understanding the Salesforce Aura Framework

The Aura framework is a component-based development framework used within Salesforce Lightning to build interactive user interfaces. It allows developers to create dynamic components that power web applications and online portals.

Organizations frequently rely on this framework when building customer-facing or partner-facing portals through Salesforce Experience Cloud. These portals allow external users to interact with the company’s systems without requiring full internal access.

Typical uses for Experience Cloud portals include customer support platforms where users submit service requests, partner collaboration spaces where vendors share documents and updates, community forums where users exchange information, and account dashboards where customers can track orders or support cases.

To make these portals accessible, many organizations enable a limited level of public access. This access is controlled through a guest user profile, which determines what information an unauthenticated visitor can view or request from the system.

The challenge arises when the permissions assigned to this guest user profile extend beyond what is necessary. When these permissions are too broad, external visitors may gain the ability to interact with backend application components that were never meant to be publicly accessible.

How the Reported Attacks Work

The reported Salesforce Aura attacks follow a relatively straightforward sequence that relies on discovering misconfigured systems rather than exploiting complex vulnerabilities.

The process usually begins with attackers scanning the internet for publicly accessible Salesforce Experience Cloud portals that use the Aura framework. Because these portals are designed to be reachable by customers and partners, they are often visible to automated scanning tools.

Once a portal is identified, attackers begin testing how the system responds to certain requests sent through its APIs. These APIs are used by the portal itself to retrieve data from Salesforce records and display it on the website interface.

If the guest user profile attached to the portal has been given excessive permissions, the backend components may respond to these requests and return internal records. Attackers can then automate the process by sending repeated queries to retrieve data from the system.

The information that may be exposed through such queries can include customer contact information, CRM records, internal support conversations, case management data, and business documents. Because the requests are made through legitimate application interfaces, the activity may appear normal from a technical perspective.

This makes the attack particularly concerning because it can occur without triggering traditional security alerts.

Why These Attacks Can Go Unnoticed

One reason these incidents can remain undetected for extended periods is that they do not resemble traditional cyberattacks.

In ransomware incidents, organizations typically notice the problem quickly because systems stop functioning or files become encrypted. In contrast, data theft through misconfigured APIs can occur quietly and continuously.

Since the attacker interacts with the application through legitimate channels, the traffic generated during the attack may resemble normal application activity. Unless security teams are specifically monitoring unusual patterns in API usage, the data extraction process may blend into normal system operations.

Another contributing factor is the widespread assumption that SaaS providers manage all aspects of security. In reality, cloud services operate under a shared responsibility model. The provider secures the infrastructure and platform, while the customer is responsible for managing user permissions, access policies, and configuration settings.

When organizations overlook this responsibility, configuration mistakes can unintentionally expose sensitive information.

The Cybercrime Group Behind the Claims

ShinyHunters has been associated with several major data breach incidents over the past few years. The group has gained notoriety for stealing large datasets from organizations and distributing them through underground forums or selling them to other cybercriminal groups.

Unlike traditional ransomware gangs that focus on encrypting systems, ShinyHunters typically concentrates on data theft and resale. By obtaining large volumes of customer information, attackers can profit through multiple channels, including selling the data on dark web marketplaces or using it to pressure organizations into paying extortion demands.

The group has previously been linked to breaches affecting technology companies, online services, and digital platforms, which makes the current claims about Salesforce-related attacks particularly concerning.

Why CRM Platforms Are Valuable Targets

Customer relationship management systems are among the most valuable data repositories within an organization. These platforms consolidate information collected by sales teams, support teams, marketing departments, and management.

As a result, a single CRM instance may contain thousands or even millions of customer records, along with detailed communication histories and internal notes.

The types of data typically stored inside CRM systems include customer contact details, purchase histories, service requests, support conversations, and internal communication between employees. If attackers gain access to this information, they may use it to conduct identity theft, launch targeted phishing campaigns, or gain insight into the internal operations of a business.

In some cases, stolen CRM data can also be used to target the organization’s customers directly, which expands the impact of a breach far beyond the original victim.

The Growing Risk of Cloud Misconfigurations

Security incidents involving cloud platforms increasingly originate from configuration errors rather than software vulnerabilities.

These errors may include overly permissive guest accounts, publicly accessible APIs, insufficient data access restrictions, or a lack of monitoring for unusual data queries.

Unlike software bugs that require technical exploitation, configuration weaknesses are often much easier for attackers to discover and exploit. A simple automated scan can identify exposed endpoints or portals with excessive permissions.

For this reason, security experts emphasize the importance of routine configuration reviews and regular audits of cloud environments.

What Organizations Should Do Now

Organizations that use Salesforce Experience Cloud should treat these reports as an opportunity to review their current configurations.

Security teams should begin by auditing all guest user permissions associated with public portals to ensure that they provide only the minimum access required. Backend APIs should be carefully reviewed to confirm that they cannot be queried by unauthenticated users.

It is also important to implement strict object-level and field-level security policies so that sensitive data cannot be retrieved through unauthorized queries. In addition, monitoring systems should be configured to detect unusual API activity, such as repeated large-scale data requests or traffic originating from unfamiliar sources.

Finally, organizations should incorporate SaaS configuration reviews into their regular cybersecurity assessments. By treating cloud configuration as an ongoing process rather than a one-time setup, businesses can significantly reduce their exposure to these types of threats.

To Sum Up

The claims surrounding Salesforce Aura data theft attacks illustrate how small configuration mistakes can create significant cybersecurity risks.

Cloud platforms such as Salesforce provide robust infrastructure and security features, but the responsibility for configuring access permissions remains largely with the organizations that use them.

When guest access permissions are too broad or APIs are left exposed, attackers can quietly retrieve sensitive information without exploiting software vulnerabilities.

For businesses that rely on Salesforce Experience Cloud portals, reviewing access settings and monitoring API activity should be an immediate priority. Careful configuration management remains one of the most effective ways to prevent data exposure in modern cloud environments.

FAQs

What is the Salesforce Aura framework?

The Aura framework is a component-based development framework within Salesforce Lightning that enables developers to build interactive applications and portals.

What is Salesforce Experience Cloud?

Salesforce Experience Cloud is a platform that allows organizations to create customer portals, partner collaboration spaces, and community websites connected to their CRM data.

Who are ShinyHunters?

ShinyHunters is a cybercrime group known for conducting large-scale data breaches and selling stolen datasets through underground forums.

Are these attacks exploiting a vulnerability in Salesforce?

Most reports indicate that the issue stems from misconfigured portal permissions rather than a flaw in the Salesforce platform itself.

Why is CRM data attractive to attackers?

CRM systems contain detailed customer information and internal communications, which can be used for fraud, phishing attacks, and identity theft.

How can organizations reduce the risk of these attacks?

Organizations should audit guest access permissions, restrict backend API access, monitor unusual activity, and conduct regular cloud security configuration reviews.