Executive Summary
The threat group known as ShinyHunters is actively exploiting misconfigurations in Salesforce Experience Cloud and a externally developed security auditing tool to exfiltrate sensitive data from hundreds of high-profile organizations. By repurposing Mandiant’s AuraInspector tool, the actors identify guest user profiles with excessive permissions that allow for the direct querying of internal CRM objects. The stolen data serves as a potential resource for further operations to target sensitive Salesforce Aura instances.
Technical Analysis
Mandiant introduced AuraInspector on 12 January 2026 as a specialized command-line tool to help security administrators audit their Salesforce Experience Cloud instances for access control gaps. This utility automates the identification of misconfigured objects by mimicking the external perspective of an unauthenticated guest user. It specifically highlights exposures within the Aura framework that might lead to the leakage of PII, identity documents, or financial records. While intended for defensive hardening and proactive remediation, the open-source nature of the tool allowed threat actors like ShinyHunters to modify the code for large-scale reconnaissance across the internet.
Attackers target the /s/sfsites/aura API endpoint to execute unauthorized queries against the Salesforce Aura framework. By manipulating the sortBy parameter and the GraphQL Aura controller, threat actors bypass standard 2,000-record retrieval limits to exfiltrate entire datasets. The ShinyHunters group specifically utilizes a custom tool, which automates “boxcar’ing”, which is bundling multiple Aura actions into a single POST request to optimize data theft.
This methodology exploits the serviceComponent://ui.force.components.controllers.lists.selectableListDataProvider.SelectableListDataProviderController/ACTION$getItems method to extract records without authentication. The actors leverage this optimization to bundle up to 250 server-side actions into a single request, which significantly reduces network traffic while accelerating the exfiltration of sensitive CRM objects. The discovery of the sortBy parameter allows for the retrieval of records beyond the default 2,000-record threshold by altering the sort order to reveal hidden data. Furthermore, the GraphQL Aura controller (aura://RecordUiController/ACTION$executeGraphQL) provides an unauthenticated path to perform complex join operations and mutations. Using Base64-encoded cursors in the after parameter, attackers systematically paginate through thousands of records with minimal resistance. This automated reconnaissance ensures that any misconfigured object becomes an open door for large-scale data harvesting in future operations.
Remediations
Threat actors have confirmed with media entities that the only current way to prevent exploitative scanning with AuraInpsector is by disabling “Public Access” to an instance, which will also disable guest access and turn the website into a private portal.
