Salesforce AuraInspector Attack: ShinyHunters Scanning Experience Cloud Sites

A known threat actor (reported as ShinyHunters/UNC6240) repurposed Mandiant's AuraInspector into an automated scanner and extractor targeting Salesforce Experience Cloud sites with overly permissive guest user profiles, allegedly compromising 300–400 organizations beginning September 2025 and accelerating after the tool's January 2026 release; extracted CRM data (names, phone numbers, accounts) has been used for extortion and to enable high-confidence vishing. Salesforce issued an advisory (March 7, 2026) recommending removing the API Enabled permission from guest users; detection and pagination-bypass details, evidence of active exploitation, and remediation steps are documented, while a claimed second bypass affecting correctly configured instances remains unverified.