TL;DR

  • ShinyHunters took a legitimate security audit tool and turned it into a data extraction weapon, breaching 300-400 companies including cybersecurity firm Aura.com [1]
  • The attack exploits misconfigured guest user permissions in Salesforce Experience Cloud sites, not a Salesforce platform vulnerability [2]
  • Attackers can exfiltrate entire databases through the /s/sfsites/aura API endpoint by manipulating query parameters [3]
  • Salesforce says this is a customer configuration problem — but that distinction won't matter to the millions of people whose data was just stolen [4]
  • If you use Salesforce Experience Cloud, check your guest user settings today with our checklist below

How a Security Tool Became a Weapon

In January 2026, Mandiant (now part of Google Cloud) released AuraInspector, an open-source tool designed to help Salesforce administrators find access control misconfigurations in the Aura framework that powers Salesforce Experience Cloud customer portals [1].​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌‌​​‌‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌‌​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌

​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

The goal was defensive: security teams could scan their own Salesforce implementations, find overly permissive guest user settings, and fix them before attackers did.

ShinyHunters had other plans. By late February 2026, the group had modified AuraInspector to go beyond mere identification. Their version didn't just find misconfigurations — it exploited them to extract data at scale [1].​‌‌‌​​‌‌‍​‌‌​‌​​​‍​‌‌​‌​​‌‍​‌‌​‌‌‌​‍​‌‌‌‌​​‌‍​‌‌​‌​​​‍​‌‌‌​‌​‌‍​‌‌​‌‌‌​‍​‌‌‌​‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌​‍​‌‌‌​​‌‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​​​‌‍​‌‌​‌‌​​‍​‌‌​​‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌‌​‍​‌‌​‌‌‌‌‍​‌‌‌​​‌​‍​‌‌​​​‌‌‍​‌‌​​‌​‌‍​​‌​‌‌​‌‍​‌‌​​​​‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​​​​‌‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​​‌​‌‍​‌‌​​​‌‌‍​‌‌‌​‌​‌‍​‌‌‌​​‌​‍​‌‌​‌​​‌‍​‌‌‌​‌​​‍​‌‌‌‌​​‌‍​​‌​‌‌​‌‍​‌‌‌​‌​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌‌‍​‌‌​‌‌​​‍​​‌​‌‌​‌‍​‌‌‌​‌‌‌‍​‌‌​​‌​‌‍​‌‌​​​​‌‍​‌‌‌​​​​‍​‌‌​‌‌‌‌‍​‌‌​‌‌‌​‍​‌‌​‌​​‌‍​‌‌‌‌​‌​‍​‌‌​​‌​‌‍​‌‌​​‌​​‍​​‌​‌‌​‌‍​‌‌‌​​‌‌‍​‌‌​‌‌​‌‍​‌‌​​​‌​‍​​‌​‌‌​‌‍​‌‌​​‌‌‌‍​‌‌‌​‌​‌‍​‌‌​‌​​‌‍​‌‌​​‌​​‍​‌‌​​‌​‌

The weaponized version automated the entire attack: point it at a target, let it scan, watch the data flow out. By March 2026, they'd hit hundreds of organizations, with confirmed victims spanning cybersecurity, healthcare, finance, retail, and education [1].

The irony writes itself: one of the confirmed victims is Aura.com, a digital security company that sells identity theft protection services. ShinyHunters named them on their leak site after extortion demands failed, then released 921,000 email records from Aura's Salesforce CRM database [5].

A company that sells protection against data breaches. Breached. Using a tool named after the framework their portal ran on.

The Vulnerability Isn't Salesforce — It's Your Configuration

Salesforce has been clear: this isn't a platform vulnerability. The Aura framework works as designed. Guest users can query data if you give them permission [2].

The problem is that many organizations don't realize what permissions they've granted.

When guest user permissions are set too permissively in Experience Cloud sites, unauthenticated attackers can [1]:

  • Hit the /s/sfsites/aura API endpoint without logging in
  • Execute queries against the Salesforce Aura framework
  • Bypass the standard 2,000-record retrieval limit by manipulating the sortBy parameter
  • Use GraphQL Aura controllers to exfiltrate entire databases

ShinyHunters didn't hack Salesforce. They scanned for companies that had left the door unlocked — then walked right in.

This is the SaaS security crisis in microcosm: platforms are secure by default, but customers make them insecure by accident.

The Business Impact: Why This Matters to Every SMB

You might think: "I don't use Salesforce Experience Cloud, this doesn't affect me."

You're wrong. This pattern repeats across every SaaS platform: Microsoft 365, Google Workspace, AWS, HubSpot, Slack, Notion, Jira, Zoom. All of them default to secure. All of them can be misconfigured by accident. All of them are being scanned right now by attackers looking for open doors [6].

The ShinyHunters campaign is running parallel to their ongoing Okta vishing attacks. Different attack vectors, same result: massive data theft followed by extortion demands [1].

Since January 2026, ShinyHunters has breached [1]:

  • Betterment (1.4M users)
  • Match Group (10M records)
  • Figure (967K users)
  • CarGurus (12.4M records)
  • TELUS Digital (1 petabyte of data)
  • 300-400 Salesforce victims

Your business partners use these platforms. Your vendors use these platforms. Your data is in these platforms — even if you don't realize it.

Related: 1 in 4 Data Breaches Now Come Through Your Vendors: What SMBs Must Do Today

The Salesforce Security Checklist: Run This Today

If you use Salesforce Experience Cloud, Salesforce recommends these immediate actions [2]:

1. Check Guest User Settings

Review what guest users can access in your Experience Cloud sites. Go to: Setup → Digital Experience → Workspaces → Your Site → Security → Guest User Settings

Ask yourself: Can unauthenticated users access data they shouldn't see?

2. Set Default External Access to Private

For all objects, make sure external access defaults to private. Go to: Setup → Object Manager → [Object] → Field Level Security

The rule: If it's not explicitly public, it should be private.

3. Disable Public API Access for Guests

Unless absolutely necessary, block API access for unauthenticated users. Go to: Setup → Digital Experience → Workspaces → Your Site → Administration → API Access

The attack vector: ShinyHunters exploited the /s/sfsites/aura endpoint. If guest users don't need API access, disable it.

4. Restrict Visibility Settings

Prevent guest users from enumerating internal organization members. Go to: Setup → Digital Experience → Workspaces → Your Site → Administration → Member Visibility

Why this matters: Enumeration attacks let attackers map your organization structure before launching phishing campaigns.

5. Disable Self-Registration

If you don't need it, turn it off. Go to: Setup → Digital Experience → Workspaces → Your Site → Administration → Login & Registration

Self-registration creates accounts automatically. If you don't require it, disable it — it reduces your attack surface.

6. Monitor Logs for Suspicious Activity

Look for unusual queries hitting the /s/sfsites/aura endpoint. Go to: Setup → Monitoring → Event Logs

What to look for:

  • Unexplained spikes in API calls
  • Queries from unusual geographic locations
  • Bulk data export patterns
  • Guest user activity during off-hours

The RH-ISAC (Retail & Hospitality Information Sharing and Analysis Center) has published indicators of compromise for this campaign [7]. If you run Salesforce, your security team should be monitoring for these patterns.

The Bigger Lesson: Security Tools Get Weaponized

This isn't the first time attackers have turned defensive tools into offensive weapons. Cobalt Strike, Metasploit, PowerShell Empire — tools built for red teams and security researchers routinely end up in threat actor arsenals [1].

AuraInspector is the latest example. Mandiant built it to help defenders find problems before attackers did. ShinyHunters found the problems first.

The security industry has debated this for years. Releasing vulnerability research helps defenders patch faster. But it also gives attackers a roadmap. There's no clean answer.

What's clear: if you're using Salesforce Experience Cloud, assume someone has already scanned your configuration.

Check your guest user settings. Do it today.

Related: Why Your IT Guy Isn't Enough: The Case for Dedicated Cybersecurity

If You're a Consumer: Your Data May Already Be Exposed

If you've interacted with companies that use Salesforce Experience Cloud for customer portals — which is a lot of companies — your data may have been exposed. The problem is you have no way to know which specific companies got hit [1].

Here's what to do:

  1. Check Have I Been Pwned: Some ShinyHunters breaches are already in the database. Go to: https://haveibeenpwned.com
  2. Watch for breach notifications: Affected companies should be notifying victims in the coming weeks
  3. Be skeptical of "customer service" contacts: Stolen CRM data means attackers know your account details and interaction history. Verify all communications
  4. Enable 2FA everywhere: Especially on accounts with financial data. Use an authenticator app, not SMS

Related: How Hackers Bypass MFA in 2026: AiTM, SIM Swapping, MFA Fatigue, and Token Theft Explained

What This Means for Your Business's SaaS Security Strategy

The ShinyHunters Salesforce campaign exposes a fundamental truth about SaaS security: platforms default to secure, but customers make them insecure by accident.

Here's the reality:

  • Salesforce shipped a secure platform
  • Customers misconfigured their own instances
  • Attackers scanned for those misconfigurations at scale
  • Hundreds of companies got breached — without a single zero-day vulnerability

This pattern repeats across every major SaaS platform. The attackers aren't hacking the platforms. They're exploiting misconfigurations.

Your SaaS security strategy needs to address three layers [6]:

  1. Platform security: The vendor's responsibility (Salesforce, Microsoft, Google, AWS). They ship secure defaults.
  2. Configuration security: Your responsibility. Guest user permissions, API access, sharing settings, retention policies.
  3. Identity security: Your responsibility. MFA, conditional access, least privilege, credential hygiene.

Most SMBs focus on layer 1 (the vendor) and layer 3 (identity). They skip layer 2 (configuration) — and that's where the ShinyHunters attack lives.

The SaaS Configuration Security Framework for SMBs

Here's how to close the gap:

1. Inventory Your SaaS Stack

You can't secure what you don't know you have. Build a list of every SaaS platform your business uses. Include:

  • Customer-facing portals (Salesforce, HubSpot, Zendesk)
  • Collaboration tools (Microsoft 365, Google Workspace, Slack)
  • Development platforms (GitHub, GitLab, Jira)
  • Marketing tools (Mailchimp, Marketo, HubSpot)

The rule: if it holds business data, it's part of your attack surface.

2. Document Default Configurations

For each platform, document:

  • Default guest/external access settings
  • Default sharing permissions
  • Default API access rules
  • Default retention policies

The question: would these settings be secure if an attacker found them?

3. Audit Guest/External Access Quarterly

Misconfigured guest access is the #1 SaaS security vulnerability. Every quarter:

  • Review who has guest access to what
  • Check if public links exist that shouldn't
  • Verify API access is restricted to legitimate use cases
  • Confirm self-registration is disabled unless required

4. Monitor for Anomalous Activity

Every SaaS platform has audit logs. Someone needs to review them:

  • Bulk data exports
  • Unusual login patterns
  • Privilege escalations
  • API usage spikes

Related: The $0 AI Stack: How to Automate Your Business Without Spending a Dollar

5. Test Your Configurations Regularly

Run vulnerability scans against your SaaS instances:

  • Use the vendor's built-in security tools (like Salesforce's Health Check)
  • Run third-party configuration audits (like AuraInspector — before it was weaponized)
  • Conduct annual penetration testing on externally accessible portals

The rule: if ShinyHunters can scan your Salesforce instance for free, so should you.

The Bottom Line: Configuration Security Is Business Security

The ShinyHunters Salesforce campaign isn't a story about a hacked platform. It's a story about configuration hygiene at scale.

  • 300-400 companies breached [1]
  • Millions of customer records exposed [5]
  • Billions of dollars in breach notification costs, legal fees, and regulatory fines
  • All because guest user permissions were left open

For SMBs, the lesson is clear: SaaS security isn't the vendor's problem. It's yours.

Your vendors ship secure platforms. Your job is to keep them secure. That means:

  • Knowing what SaaS platforms you use
  • Understanding their default configurations
  • Auditing guest/external access quarterly
  • Monitoring logs for anomalous activity
  • Testing configurations regularly

The attackers are already scanning your SaaS stack. The only question is whether they'll find an open door.

Worried about your SaaS security posture? You don't have to figure this out alone. lilMONSTER helps small businesses audit their SaaS configurations, close access control gaps, and build security processes that scale. Book a free consultation — we'll review your Salesforce, Microsoft 365, and Google Workspace setups together.

FAQ

ShinyHunters is a cybercriminal group that weaponized AuraInspector, a legitimate security audit tool for Salesforce, to scan for and exploit misconfigured guest user permissions in Salesforce Experience Cloud sites. The campaign has breached an estimated 300-400 companies globally, including cybersecurity firm Aura.com, which had 921,000 email records stolen from its Salesforce CRM database [1, 5].

No. Salesforce has stated this is not a platform vulnerability — it's a customer configuration issue [2]. The Aura framework works as designed. When organizations set guest user permissions too permissively, unauthenticated attackers can query and exfiltrate data through the /s/sfsites/aura API endpoint. Salesforce shipped a secure platform; customers misconfigured their own instances [2, 4].

Run through the security checklist in this post: check guest user settings, set default external access to private, disable public API access for guests unless required, restrict visibility settings to prevent enumeration, disable self-registration if not needed, and monitor logs for unusual activity hitting the /s/sfsites/aura endpoint [2, 7]. The RH-ISAC has published indicators of compromise for this campaign that your security team should monitor for [7].

First, check https://haveibeenpwned.com to see if your email appears in known breach databases. Second, watch for official breach notifications from affected companies — they're required to notify victims under data breach notification laws. Third, enable 2FA everywhere using an authenticator app (not SMS), especially on accounts with financial data. Fourth, be skeptical of unsolicited "customer service" contacts — attackers use stolen CRM data to make phishing emails look legitimate [1, 5].

They're becoming the dominant attack vector. According to IBM's 2025 Cost of a Data Breach Report, initially compromised credentials and cloud misconfigurations now account for over 40% of all breaches [6]. The ShinyHunters Salesforce campaign is part of a broader trend: attackers aren't hacking platforms, they're exploiting misconfigured customer instances. This pattern repeats across Microsoft 365, Google Workspace, AWS, HubSpot, Slack, and other major SaaS platforms [6].

Yes — indirectly. Your business partners, vendors, and service providers use Salesforce and other SaaS platforms. Your data lives in their systems. When they get breached, your data gets exposed too. This is why vendor risk management and third-party security assessments are critical for SMBs [6]. Every company in your supply chain is a potential breach pathway.

References

[1] State of Surveillance, "ShinyHunters Weaponized a Security Tool to Breach 400 Companies via Salesforce," March 18, 2026. [Online]. Available: https://stateofsurveillance.org/news/shinyhunters-salesforce-aura-400-companies-security-tool-weaponized-2026/

[2] Salesforce Security Alert, "ShinyHunters Campaign Targeting Experience Cloud Sites," March 2026. [Online]. Available: Salesforce Trust Center

[3] Reco, "Inside the ShinyHunters Experience Cloud Campaign: IOCs, Detection Logic, and What's at Risk," March 2026. [Online]. Available: https://www.reco.ai/blog/inside-the-shinyhunters-experience-cloud-campaign-iocs-detection-logic-and-whats-at-risk

[4] IT Pro, "Salesforce Issues Customer Alert as ShinyHunters Group Claims Experience Cloud Breach," March 2026. [Online]. Available: https://www.itpro.com/security/cyber-attacks/salesforce-issues-customer-alert-as-shinyhunters-group-claims-experience-cloud-breach

[5] DataBreach.com, "Aura.com 2026 Breach — 921,000 Email Records Exposed via Salesforce Misconfiguration," March 2026. [Online]. Available: https://databreach.com/breach/aura-com-2026

[6] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[7] RH-ISAC, "ShinyHunters Utilize Public Audit Tool to Scan for Vulnerable Salesforce Aura Instances," March 2026. [Online]. Available: https://rhisac.org/threat-intelligence/shinyhunters-sf-aura/

[8] Help Net Security, "ShinyHunters Claims New Campaign Targeting Salesforce Experience Cloud Sites," March 11, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/11/shinyhunters-salesforce-aura-data-breach/

[9] Salesforce Ben, "ShinyHunters Breach 400 Companies via Salesforce Experience Cloud," March 2026. [Online]. Available: https://www.salesforceben.com/shinyhunters-breach-400-companies-via-salesforce-experience-cloud/

[10] Cyber Insider, "ShinyHunters Claims Hundreds of Victims in New Salesforce Aura Campaign," March 2026. [Online]. Available: https://cyberinsider.com/shinyhunters-claims-hundreds-of-victims-in-new-salesforce-aura-campaign

[11] Bleeping Computer, "ShinyHunters Claims Ongoing Salesforce Aura Data Theft Attacks," March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/

[12] The Hacker News, "Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool," March 2026. [Online]. Available: https://thehackernews.com/2026/03/threat-actors-mass-scan-salesforce.html

TL;DR

  • A gang of hackers took a tool that helps companies find security problems and turned it into a weapon that steals data [1]
  • They used it to break into 400 companies — including a security company that was supposed to prevent exactly this kind of breach [1, 5]
  • The problem wasn't broken software — it was companies forgetting to lock doors they didn't know they had [2]
  • If your business uses online tools like Salesforce, Microsoft 365, or Google Workspace, you need to check your settings today

The Digital Door You Didn't Know You Had

Imagine you own a shop. You lock the front door every night. You set an alarm system. You hire security guards.

But there's a back door you forgot about. It's unlocked. Anyone can walk in.

That's what happened to 400 companies recently. They use a platform called Salesforce to run customer websites and portals. Salesforce itself is secure — it's like a really good lock. But these companies left a "digital back door" open without realizing it [2].

Here's what happened:

How Good Tools Became Bad Weapons

A company called Mandiant built a tool called AuraInspector. Think of it like a security guard who walks around your shop checking if any doors are unlocked. It was supposed to help companies find problems before bad guys did [1].

Then a hacker group called ShinyHunters came along. They took that security guard tool and turned it into a master key [1].

Suddenly, instead of finding unlocked doors and reporting them, the tool was opening them and letting hackers walk right in. The hackers automated it: push a button, scan hundreds of companies, steal everything.

By March 2026, they'd hit 300-400 organizations around the world [1].

The Company That Protects People... Got Hacked

Here's the most embarrassing part. One of the companies that got breached is called Aura.com [5].

What does Aura.com do? They sell identity theft protection. They're a security company.

Their job is to help people protect their data. But they'd left their own digital back door unlocked. ShinyHunters walked right in and stole 921,000 customer email addresses from their Salesforce system [5].

It's like a locksmith forgetting to lock their own front door.

Why Salesforce Isn't to Blame

Here's the important thing: Salesforce (the company that makes the software) didn't do anything wrong.

Think of Salesforce like a house builder. They build a house with locks on all the doors and windows. The house is secure.

But if you move in and decide to leave a window open "because it's convenient," that's not the builder's fault. That's on you.

That's what happened here. Salesforce shipped a secure platform. But when companies set up their customer portals, many of them accidentally left the "guest user" settings too open [2].

Guest users are people who haven't logged in. They're people you don't know walking by your shop. Most guest users shouldn't be able to see anything. But these companies accidentally gave people you don't know the keys to the back room.

The Attack in Plain English

Here's how the attack worked, step by step:

  1. The scan: ShinyHunters used their weaponized tool to scan thousands of Salesforce customer websites
  2. The check: For each website, the tool asked: "Can a person you don't know see data they shouldn't?"
  3. The exploit: If the answer was "yes," the tool started downloading everything
  4. the theft: Customer names, email addresses, phone numbers, purchase history — all stolen automatically

No hacking required. No broken software. Just walking through unlocked doors.

Related: 67% of Breaches Start With a Stolen Login — Not a Hacked System: What Your Business Can Do Today

Why This Matters to Your Business (Even If You Don't Use Salesforce)

You might be thinking: "We don't use Salesforce. We're safe."

Not quite. This problem exists with almost every online tool your business uses:

  • Microsoft 365 (email, documents, teams)
  • Google Workspace (Gmail, Google Drive, Google Docs)
  • HubSpot (marketing and customer data)
  • Slack (team communication)
  • Dropbox (file storage)
  • Zoom (video meetings)

All of these tools are secure when you set them up correctly. All of them can be misconfigured by accident. All of them are being scanned by hackers right now, looking for unlocked doors.

Your business data lives in these tools. Your customer data lives in these tools. Your vendors' data lives in these tools.

When they get breached, you get breached too.

The Security Checklist for Your Online Tools

Here's what to do right now, today, for every online tool your business uses:

1. Find Your Guest User Settings

Every major SaaS platform has settings for "guest users" or "external sharing." Go find them.

  • Salesforce: Setup → Digital Experience → Security → Guest User Settings
  • Microsoft 365: Admin Center → Sharing → External sharing settings
  • Google Workspace: Admin Console → Apps → Google Workspace → Drive → Sharing settings
  • Slack: Workspace Settings → Permissions → Guest access

The question: Can people you don't know see your business data without logging in? If yes, change it.

2. Set Everything to "Private" by Default

The safest setting is almost always: don't share anything outside your organization unless you specifically choose to.

Think of it like your house. The windows stay closed. You open them only when you want to let someone in.

Many online tools let you create "public links" to documents or sites. You might have created these months ago and forgotten they exist.

  • Search your settings for "public links" or "sharing links"
  • Delete any you don't actively use
  • Set links to expire automatically after a certain time

4. Turn Off What You Don't Need

Features like "self-registration" (letting people create their own accounts) or "API access" (letting other apps talk to your system) are convenient — but they're also attack vectors.

If you don't need them, turn them off. You can always enable them later if you find a legitimate use case.

5. Look for Weird Activity in Your Logs

Every SaaS platform keeps a record of who did what. These are called audit logs or activity logs.

Once a month, have someone check for:

  • Bulk data downloads (why did someone export 10,000 customer records?)
  • Logins from strange countries (why is someone logging in from Kazakhstan at 3 AM?)
  • New user accounts created without approval

If you see something weird, investigate.

Related: Stop Overpaying for AI: 5 Ways Businesses Waste Money on Artificial Intelligence

What to Do If You Think Your Data Was Stolen

If you do business with companies that use Salesforce (and that's a lot of companies), your data might have been exposed in this breach. Here's what to do:

1. Check if Your Email Was Leaked

Go to https://haveibeenpwned.com and enter your email address. This free service checks if your email appeared in known data breaches.

2. Watch for Official Notifications

Companies are legally required to notify you if your data was stolen. Watch for emails or letters saying "We experienced a data breach."

Warning: Scammers know this. They'll send fake breach notification emails trying to trick you. Before clicking anything, verify it's really from the company by visiting their official website (not clicking links in the email).

3. Turn On Two-Factor Authentication (2FA)

Every important account should have 2FA. This means you need both your password AND a code from your phone to log in.

Use an authenticator app (like Google Authenticator or Microsoft Authenticator), not SMS text messages — SMS can be hijacked.

4. Be Skeptical of "Customer Service" Calls

If hackers stole your data from a company's database, they now know your name, email, phone number, and maybe your purchase history.

They might call or email pretending to be from that company. They'll sound convincing because they have real information.

The rule: Never give personal information or passwords to someone who contacts you, even if they say they're from a company you do business with. Hang up and call the official phone number from their website.

Related: How Hackers Bypass MFA in 2026: AiTM, SIM Swapping, MFA Fatigue, and Token Theft Explained

The Lesson: Security Isn't Something You Buy — It's Something You Do

The biggest mistake businesses make is thinking security works like insurance:

"I bought secure software. I'm protected."

But that's not how it works. Security is more like locking up a shop or a house:

  • The builder (Salesforce, Microsoft, Google) gives you good locks
  • But you still have to actually use them
  • And you have to check them regularly
  • Because bad guys are constantly checking if you forgot to lock something

The ShinyHunters breach wasn't a technical failure. It was a process failure. Companies weren't checking their configurations regularly. Nobody was reviewing guest user permissions. No one was monitoring for strange activity.

Good security habits matter more than good security tools. A tool that helps you find problems (like AuraInspector) is useless if you don't actually fix the problems it finds.

Related: Why Your IT Guy Isn't Enough: The Case for Dedicated Cybersecurity

What This Means for Your Business's Security Strategy

Here's the simple version of what every business needs to do:

1. Make a List of Every Online Tool You Use

You can't secure what you don't know you have. Write down:

  • Email (Microsoft 365, Google Workspace)
  • File storage (Dropbox, Google Drive, OneDrive)
  • Customer data (Salesforce, HubSpot, Zendesk)
  • Communication (Slack, Teams, Zoom)
  • Accounting (Xero, QuickBooks)
  • Marketing (Mailchimp, HubSpot)

2. Check the Security Settings for Each One

Go through the list. For each tool, find:

  • Guest/external access settings
  • Sharing permissions
  • Public links
  • API access settings

Set everything to "most secure" unless you have a specific reason not to.

3. Check Again Every Three Months

Security configurations don't stay secure forever. Employees change settings. New features get added. Mistakes happen.

Put a recurring calendar event: "Check SaaS security settings." Do it every quarter.

4. Train Your Team

The biggest security risk isn't hackers — it's well-meaning employees who accidentally change a setting to make their job easier, not realizing they've opened a security hole.

Teach your team:

  • Why security settings matter
  • What they're allowed to change
  • What they need to ask permission before doing

The Bottom Line

ShinyHunters didn't hack Salesforce. They exploited forgotten doors that companies had left unlocked.

The same doors exist in Microsoft 365, Google Workspace, HubSpot, Slack, and every other online tool your business uses.

Attackers are scanning for these doors right now. The only question is whether yours is locked.

Not sure where to start? lilMONSTER helps small businesses audit their online tools, close security gaps, and build processes that keep data safe. Book a free consultation — we'll review your setup together and show you exactly what to fix.

FAQ

ShinyHunters is a group of hackers who took a tool that was supposed to help companies find security problems (called AuraInspector) and turned it into a weapon that steals data. They used it to break into about 400 companies that use Salesforce, including a security company called Aura.com [1, 5].

Yes. Salesforce itself wasn't hacked. The problem is that when companies set up their Salesforce websites, many of them accidentally left guest user permissions too open — like leaving a back door unlocked. Salesforce is secure if configured correctly [2].

Go to your Salesforce Setup menu, find "Digital Experience" or "Experience Cloud," then look at the "Security" or "Guest User Settings." Make sure guest users (people you don't know who haven't logged in) can't access your data. Set all external access to "private" unless you have a specific reason not to [2].

Check https://haveibeenpwned.com to see if your email appears in known breach databases. Turn on two-factor authentication (using an app, not text messages) on all your important accounts. Be suspicious of unsolicited calls or emails claiming to be "customer service" — hackers use stolen data to make their scams look real [5].

Yes, indirectly. Your vendors, partners, and service providers use Salesforce and other online tools. Your data lives in their systems. When they get breached because of misconfigured settings, your data gets exposed too. This is why you need to ask about security practices when choosing vendors [6].

At least every three months. Security settings get changed accidentally by employees. New features get added. Mistakes happen. Put a recurring reminder on your calendar to review guest user settings, sharing permissions, and access logs for all your online tools [2, 6].

References

[1] State of Surveillance, "ShinyHunters Weaponized a Security Tool to Breach 400 Companies via Salesforce," March 18, 2026. [Online]. Available: https://stateofsurveillance.org/news/shinyhunters-salesforce-aura-400-companies-security-tool-weaponized-2026/

[2] Salesforce Security Alert, "ShinyHunters Campaign Targeting Experience Cloud Sites," March 2026. [Online]. Available: Salesforce Trust Center

[3] Help Net Security, "ShinyHunters Claims New Campaign Targeting Salesforce Experience Cloud Sites," March 11, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/11/shinyhunters-salesforce-aura-data-breach/

[4] IT Pro, "Salesforce Issues Customer Alert as ShinyHunters Group Claims Experience Cloud Breach," March 2026. [Online]. Available: https://www.itpro.com/security/cyber-attacks/salesforce-issues-customer-alert-as-shinyhunters-group-claims-experience-cloud-breach

[5] DataBreach.com, "Aura.com 2026 Breach — 921,000 Email Records Exposed via Salesforce Misconfiguration," March 2026. [Online]. Available: https://databreach.com/breach/aura-com-2026

[6] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[7] The Hacker News, "Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool," March 2026. [Online]. Available: https://thehackernews.com/2026/03/threat-actors-mass-scan-salesforce.html

[8] Salesforce Ben, "ShinyHunters Breach 400 Companies via Salesforce Experience Cloud," March 2026. [Online]. Available: https://www.salesforceben.com/shinyhunters-breach-400-companies-via-salesforce-experience-cloud/

[9] Bleeping Computer, "ShinyHunters Claims Ongoing Salesforce Aura Data Theft Attacks," March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/

[10] Cyber Insider, "ShinyHunters Claims Hundreds of Victims in New Salesforce Aura Campaign," March 2026. [Online]. Available: https://cyberinsider.com/shinyhunters-claims-hundreds-of-victims-in-new-salesforce-aura-campaign

Ready to strengthen your security?

Talk to lilMONSTER. We assess your risks, build the tools, and stay with you after the engagement ends. No clipboard-and-leave consulting.

Get a Free Consultation