Attackers abuse guest access on CRM portals, chaining server actions and bypassing query limits to extract sensitive organizational data worldwide.

In what security experts say may be one of the largest data theft campaigns to date, hacking crew ShinyHunters has been implicated in exploiting weakly secured customer-relationship management (CRM) platform cloud portals to siphon vast troves of corporate data.

The attackers are said to be abusing public‑facing “guest” access on Salesforce Experience Cloud sites to run queries against back‑end Salesforce data without logging in, turning misconfigurations into a powerful entry point for mass data harvesting.

Investigators say the operation targets the /s/sfsites/aura API endpoint used by the CRM firm, which powers many customer and partner portals. ShinyHunters is reportedly using a modified version of an auditing utility, originally released to help administrators find access‑control flaws, to automatically scan the internet for exposed Experience Cloud implementations that grant guest users overly broad permissions. Then:

  • Once a vulnerable site is found, the group chains together large numbers of server‑side actions in single requests and manipulates query parameters to bypass record‑count limits, allowing them to pull tens or hundreds of thousands of records at a time.
  • The campaign builds on earlier hacking activity against Salesforce customers through compromised integrations and OAuth tokens, where attackers used stolen access to methodically export CRM data and mine it for credentials, cloud keys and other secrets.
  • Security researchers and industry information‑sharing groups say the latest wave has affected hundreds of organizations worldwide since late 2025, including scores of technology and cybersecurity companies that rely heavily on Salesforce for sales and support operations.

Salesforce, for its part, has insisted the incidents stem from customer configuration mistakes rather than a flaw in its core platform, framing the issue as one of access governance rather than software vulnerability. The firm has issued emergency guidance urging customers to:

  • lock down guest profiles
  • remove API access from unauthenticated users
  • set organization‑wide defaults to private
  • disable self‑registration on portals
  • closely monitor logs for unusually large or automated queries hitting Experience Cloud sites.

Researchers warn that any public portal exposing excessive data to guest users remains at risk until organizations complete thorough permission reviews and secret‑rotation efforts.