ShinyHunters Salesforce Campaign Hits 400+ Firms: What Saudi Banks Must Do Now

A single misconfigured guest user permission in Salesforce Experience Cloud has handed the ShinyHunters threat group access to hundreds of enterprise environments — including Cisco, Hallmark, and dozens of financial services firms. With deadline ultimatums expiring this week and data dumps hitting dark web forums, any Saudi institution running Salesforce-based portals faces a concrete, immediate risk that demands same-day action.

How ShinyHunters Weaponized Salesforce Aura Inspector

The campaign, tracked since early March 2026, exploits a deceptively simple attack surface. ShinyHunters modified the open-source Aura Inspector — a debugging tool originally developed by Salesforce engineers — to mass-scan public-facing Experience Cloud sites. The scanner identifies portals where guest user profiles retain overly permissive object-level and field-level access, a misconfiguration far more common than most administrators realize. Once a vulnerable site is found, attackers query Salesforce's Aura API endpoints directly, extracting full object records without triggering standard authentication controls. Salesforce confirmed the vector in a March 2026 advisory, noting that the threat actor is not exploiting a platform vulnerability but rather taking advantage of customer-side configuration gaps.

The scale is staggering. ShinyHunters claims between 300 and 400 breached organizations, with individual hauls reaching millions of records. Cisco reportedly lost over 3 million records through this vector; Hallmark faces exposure of nearly 8 million customer records. The group has adopted an aggressive extortion model, setting public deadlines — including April 2 and April 3, 2026 — before releasing stolen datasets on their leak site.

Why Salesforce Misconfigurations Are an Industry-Wide Blind Spot

Salesforce Experience Cloud (formerly Community Cloud) powers customer portals, partner hubs, and self-service platforms across the financial sector. Saudi banks, insurance companies, and fintech firms frequently deploy Experience Cloud for onboarding workflows, document submission portals, and customer service interfaces. The problem is that Salesforce's permission model is granular but complex. Guest user profiles — the accounts that unauthenticated visitors use to interact with public-facing pages — can inadvertently inherit access to sensitive objects like Contact, Account, Case, and even custom objects containing financial records.

Security teams routinely audit network perimeters, endpoints, and cloud infrastructure, but SaaS platform configurations often fall into a governance gap. Salesforce environments are typically managed by business units or CRM administrators who may lack security training. Penetration testing scopes rarely include deep Salesforce permission audits. The result is a hidden attack surface that sits outside the traditional security operations center's visibility — exactly the kind of gap ShinyHunters has learned to exploit at scale.

The Threat to Saudi Financial Institutions

Saudi Arabia's financial sector is a high-value target, and the regulatory consequences of a Salesforce-sourced data breach would be severe. SAMA's Cyber Security Common Controls (CSCC) framework explicitly requires institutions to implement access control measures that enforce least-privilege principles across all systems, including third-party SaaS platforms. Domain 3 (Technology Operations) and Domain 4 (Third Party Cyber Security) of the CSCC mandate continuous monitoring and configuration management for externally hosted services.

A breach exposing customer PII through a misconfigured Salesforce portal would simultaneously trigger obligations under Saudi Arabia's Personal Data Protection Law (PDPL), which requires breach notification within 72 hours and imposes penalties for failure to implement adequate technical safeguards. For institutions handling cardholder data through Salesforce integrations, PCI-DSS Requirement 7 (Restrict Access to System Components) directly applies. The NCA's Essential Cybersecurity Controls (ECC) framework adds another layer, requiring organizations to maintain secure configurations for all information assets, including SaaS platforms, under control ECC-2:2.

Google Cloud's Mandiant threat intelligence team published a detailed tracking report on the ShinyHunters campaign expansion, confirming that the group has deliberately targeted organizations in the Middle East and financial services verticals. Saudi institutions cannot treat this as a distant Western problem — the threat actors are actively scanning globally, and any publicly accessible Experience Cloud site is a potential target regardless of geography.

Immediate Remediation Steps

1. Audit guest user permissions today. In Salesforce Setup, navigate to User Management Settings and review the Guest User profile for every Experience Cloud site. Remove object-level read access to Contact, Account, Lead, Case, Opportunity, and any custom objects containing sensitive data. Salesforce's own "Guest User Access Report" tool (Setup → Security → Guest User Access) provides a baseline inventory.
2. Disable unnecessary Aura API endpoints. Review which Lightning components are exposed on guest-accessible pages. Remove any components that query sensitive objects. Use Salesforce's "LWC Security Review" to identify components with overly broad SOQL queries accessible to guest profiles.
3. Implement Salesforce Shield Event Monitoring. Enable Login Event Monitoring and API Event Monitoring to detect anomalous query patterns — particularly high-volume GET requests against Aura endpoints from unfamiliar IP ranges. Forward these logs to your SIEM for correlation with threat intelligence feeds tracking ShinyHunters infrastructure.
4. Enforce field-level security on all sensitive objects. Object-level permissions are necessary but not sufficient. Ensure that even if a guest user can read an object, individual fields containing national ID numbers (Saudi National ID / Iqama), financial account numbers, and contact details are restricted at the field level.
5. Include Salesforce in your next penetration test scope. Traditional infrastructure pentests miss SaaS misconfigurations entirely. Commission a dedicated Salesforce security assessment that covers permission model review, sharing rule analysis, and API endpoint exposure testing. This directly satisfies SAMA CSCC requirements for application security testing.
6. Update your third-party risk register. Document Salesforce as a critical third-party provider under your SAMA CSCC Domain 4 compliance program. Ensure your vendor risk assessment includes SaaS configuration drift as a monitored risk category, not just vendor-side vulnerabilities.

Beyond the Immediate Fix: Building SaaS Security Governance

The ShinyHunters campaign exposes a structural weakness in how most organizations govern SaaS security. Salesforce is just one platform — the same category of misconfiguration risk exists in ServiceNow, Microsoft Dynamics 365, SAP Cloud, and every other SaaS platform with granular permission models. Saudi financial institutions should use this incident as a catalyst to establish a formal SaaS Security Posture Management (SSPM) program. SSPM tools continuously monitor SaaS configurations against security baselines, alerting on permission drift, excessive access grants, and exposed API endpoints before attackers find them.

The SAMA CSCC framework's emphasis on continuous monitoring and configuration management provides the regulatory mandate. The ShinyHunters campaign provides the operational urgency. Institutions that combine both drivers into a funded, staffed SaaS governance program will close one of the most dangerous blind spots in modern enterprise security.

Conclusion

ShinyHunters has demonstrated that SaaS misconfiguration is not a theoretical risk — it is an active, scaled attack vector producing real breaches affecting hundreds of major organizations right now. Every Saudi financial institution running Salesforce Experience Cloud should treat this as a P1 incident investigation trigger: audit guest user permissions, review Aura API exposure, and activate monitoring within the next 48 hours. The regulatory frameworks are clear, the threat is confirmed, and the remediation steps are well-defined. The only variable is speed of execution.

Is your organization prepared? Contact Fyntralink for a complimentary SAMA Cyber Maturity Assessment, including a dedicated Salesforce security configuration review.