ShinyHunters Hackers Demand $18 Million Ransom After Stealing Data from 400 Companies Using Salesforce
{“title”: “ShinyHunters Hackers Demand $18 Million Ransom After Stealing Data from 400 Companies Using Salesforce”, “content”: “
ShinyHunters Launches Massive Extortion Campaign Against 400 Organizations
\n
The notorious hacking collective ShinyHunters has launched an unprecedented extortion campaign targeting approximately 400 organizations across various industries. The group claims to have successfully breached private records from these companies and is now demanding payment under threat of publicly leaking the stolen data. This attack represents one of the largest coordinated ransomware-style campaigns in recent cybersecurity history, with potential damages extending far beyond the immediate financial demands.
\n
According to cybersecurity firm Mandiant, the hackers have specifically focused their efforts on websites built using Salesforce Experience Cloud, a widely adopted platform that enables businesses to create public portals, help centers, and community sites. The scale and precision of this attack suggest months of preparation and reconnaissance by the threat actors.
\n
How the Breach Occurred: The Guest User Vulnerability
\n
The core vulnerability exploited in this attack centers on how Salesforce Experience Cloud sites handle public access. The platform includes a \”guest user\” profile feature designed to allow unauthenticated visitors to view basic information without requiring login credentials. While this functionality serves legitimate business purposes, it creates significant security risks when improperly configured.
\n
Security researchers discovered that ShinyHunters employed a modified version of a tool called Aura Inspector to systematically scan the internet for Salesforce Experience Cloud implementations with overly permissive guest user settings. This automated scanning process allowed the attackers to identify thousands of vulnerable sites across the web, from which they selected their 400 primary targets.
\n
Once inside these poorly secured environments, the hackers were able to query and extract sensitive data stored within the Salesforce backend. The stolen information reportedly includes employee names, customer contact details, email addresses, and phone numbers. This type of data is particularly valuable because it can be weaponized for subsequent attacks, creating a cascading effect of security breaches.
\n
Salesforce vs. ShinyHunters: Conflicting Narratives
\n
A significant point of contention has emerged between Salesforce and the hacking group regarding the nature of the vulnerability. Salesforce maintains that its platform remains fundamentally secure and that the breaches resulted from customer misconfigurations rather than any inherent flaw in their software. \”Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw,\” stated a Salesforce spokesperson in an official blog post.
\n
This position essentially places responsibility on individual organizations for failing to properly secure their implementations. Salesforce argues that while the platform provides the tools for secure configuration, it cannot prevent customers from making poor security decisions that leave their data exposed.
\n
In stark contrast, ShinyHunters claims to have discovered a new zero-day vulnerability in Salesforce Experience Cloud that allows them to bypass standard security restrictions. The group asserts that their technique works even on sites that appear to be properly secured, suggesting a more fundamental flaw in the platform’s architecture. However, these claims remain unverified by independent security researchers, and Salesforce continues to deny the existence of any platform-level vulnerability.
\n
The Immediate Threat: Vishing and Social Engineering Attacks
\n
The stolen data has already begun appearing in the wild, with cybersecurity experts reporting increased vishing (voice phishing) attacks targeting employees of affected organizations. These sophisticated social engineering campaigns leverage the stolen personal information to establish credibility with victims.
\n
In typical vishing scenarios, attackers call employees while armed with their names, job titles, and other personal details harvested from the Salesforce breach. The hackers then impersonate IT staff, executives, or trusted vendors, using this information to convince employees to divulge passwords, bypass security protocols, or provide access to additional systems. The combination of personal information and authoritative impersonation makes these attacks particularly effective.
\n
Security analysts note that this represents a dangerous escalation in cybercrime tactics. Rather than simply stealing data for resale on dark web markets, attackers are using it as a foundation for more targeted, high-value attacks that can compromise entire corporate networks.
\n
ShinyHunters’ Extortion Playbook: Pressure Through Staged Leaks
\n
ShinyHunters has developed a reputation for aggressive extortion tactics that go beyond traditional ransomware demands. The group employs a strategy of staged data leaks designed to maximize pressure on victims and force compliance with their demands.
\n
The extortion process typically begins with private negotiations, where the hackers present their demands and threaten to leak data if payment is not received. If initial demands are ignored, they begin releasing small portions of the stolen data to demonstrate their seriousness and capability. This \”proof of life\” approach serves to validate their claims and increase anxiety among victim organizations.
\n
If negotiations still fail to produce payment, ShinyHunters escalates to full-scale data dumps on dark web forums and leak sites. These dumps often include sensitive customer information, internal communications, and proprietary business data that can cause significant reputational and financial damage to the affected companies.
\n
A recent case highlighted by Hackread.com demonstrates this playbook in action. When Dutch telecom provider Odido and its brand Ben refused to pay a \u20ac1 million ransom demand, ShinyHunters began dumping millions of customer records onto dark web marketplaces. This public exposure not only damaged the companies’ reputations but also created potential legal liability under data protection regulations
Leave a Comment