ShinyHunters, the notorious group of hackers, has issued a final warning to roughly 400 organisations, claiming to have successfully broken into their private records. The group is threatening to leak this sensitive information onto the internet unless their extortion demands are met. According to previous research firm Mandiant, the hackers are specifically targeting websites built using Salesforce Experience Cloud, a popular tool businesses use to create public portals and help centres.
How the Information Was Taken
The issue centres on how these websites are set up for public use. Salesforce provides a guest user profile so that random visitors can see basic information without needing to log in. However, if a company’s settings are too open, it essentially leaves a security gap. Investigation has revealed that the hackers used a modified version of a tool called Aura Inspector to scan the web and find these gaps.
Once inside, they were able to pull out data like names and phone numbers, and this information is already being used for vishing attacks (which means voice-phishing, where hackers call employees and trick them into giving away even more corporate secrets).
A Disagreement on the Cause
There is currently a bit of a he-said, she-said situation regarding how this happened. Salesforce has stated that its platform remains secure and that the issue is down to how individual customers managed their own settings.
“Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw,” Salesforce’s blog post reads.
In simpler terms, they believe the locks on the doors are fine, but the owners accidentally left the keys in the lock. However, ShinyHunters claims they found a new flaw in the software itself that lets them bypass certain restrictions. While this hasn’t been officially confirmed by independent experts, the group insists they can still access data even on websites that appear to be properly secured.
High-Pressure Tactics
The group is well known for using aggressive tactics to force companies into paying, and often leaks data in stages to ramp up the pressure. A recent example of this was reported by Hackread.com, where the Dutch telecom provider Odido and its brand Ben refused to pay a €1 million ransom. In response, Shiny Hunters began dumping millions of customer records onto the dark web as a final warning to force the company back to the negotiating table.
Salesforce is urging all its customers to perform an immediate check-up of their site settings. They recommend a “least privilege” approach, which basically means only giving guest users the absolute minimum access they need to use the site.
Also, companies should ensure all data is set to private by default and turn off settings that allow guests to see internal staff lists. Additionally, it is vital to disable public APIs, which are the digital bridges that allow different software programmes to talk to each other and share data.
