The Digital Door You Didn't Know You Had

Imagine you own a shop. You lock the front door every night. You set an alarm system. You hire security guards.

But there's a back door you forgot about. It's unlocked. Anyone can walk in.

That's what happened to 400 companies recently. They use a platform called Salesforce to run customer websites and portals. Salesforce itself is secure — it's like a really good lock. But these companies left a "digital back door" open without realizing it [2].

Here's what happened:

How Good Tools Became Bad Weapons

A company called Mandiant built a tool called AuraInspector. Think of it like a security guard who walks around your shop checking if any doors are unlocked. It was supposed to help companies find problems before bad guys did [1].

Then a hacker group called ShinyHunters came along. They took that security guard tool and turned it into a master key [1].

Suddenly, instead of finding unlocked doors and reporting them, the tool was opening them and letting hackers walk right in. The hackers automated it: push a button, scan hundreds of companies, steal everything.

By March 2026, they'd hit 300-400 organizations around the world [1].

The Company That Protects People... Got Hacked

Here's the most embarrassing part. One of the companies that got breached is called Aura.com [5].

What does Aura.com do? They sell identity theft protection. They're a security company.

Their job is to help people protect their data. But they'd left their own digital back door unlocked. ShinyHunters walked right in and stole 921,000 customer email addresses from their Salesforce system [5].

It's like a locksmith forgetting to lock their own front door.

Why Salesforce Isn't to Blame

Here's the important thing: Salesforce (the company that makes the software) didn't do anything wrong.

Think of Salesforce like a house builder. They build a house with locks on all the doors and windows. The house is secure.

But if you move in and decide to leave a window open "because it's convenient," that's not the builder's fault. That's on you.

That's what happened here. Salesforce shipped a secure platform. But when companies set up their customer portals, many of them accidentally left the "guest user" settings too open [2].

Guest users are people who haven't logged in. They're people you don't know walking by your shop. Most guest users shouldn't be able to see anything. But these companies accidentally gave people you don't know the keys to the back room.

The Attack in Plain English

Here's how the attack worked, step by step:

1. The scan: ShinyHunters used their weaponized tool to scan thousands of Salesforce customer websites
2. The check: For each website, the tool asked: "Can a person you don't know see data they shouldn't?"
3. The exploit: If the answer was "yes," the tool started downloading everything
4. the theft: Customer names, email addresses, phone numbers, purchase history — all stolen automatically

No hacking required. No broken software. Just walking through unlocked doors.

Related: 67% of Breaches Start With a Stolen Login — Not a Hacked System: What Your Business Can Do Today

Why This Matters to Your Business (Even If You Don't Use Salesforce)

You might be thinking: "We don't use Salesforce. We're safe."

Not quite. This problem exists with almost every online tool your business uses:

• Microsoft 365 (email, documents, teams)
• Google Workspace (Gmail, Google Drive, Google Docs)
• HubSpot (marketing and customer data)
• Slack (team communication)
• Dropbox (file storage)
• Zoom (video meetings)

All of these tools are secure when you set them up correctly. All of them can be misconfigured by accident. All of them are being scanned by hackers right now, looking for unlocked doors.

Your business data lives in these tools. Your customer data lives in these tools. Your vendors' data lives in these tools.

When they get breached, you get breached too.

The Security Checklist for Your Online Tools

Here's what to do right now, today, for every online tool your business uses:

1. Find Your Guest User Settings

Every major SaaS platform has settings for "guest users" or "external sharing." Go find them.

• Salesforce: Setup → Digital Experience → Security → Guest User Settings
• Microsoft 365: Admin Center → Sharing → External sharing settings
• Google Workspace: Admin Console → Apps → Google Workspace → Drive → Sharing settings
• Slack: Workspace Settings → Permissions → Guest access

The question: Can people you don't know see your business data without logging in? If yes, change it.

2. Set Everything to "Private" by Default

The safest setting is almost always: don't share anything outside your organization unless you specifically choose to.

Think of it like your house. The windows stay closed. You open them only when you want to let someone in.

3. Check for Links You Forgot About

Many online tools let you create "public links" to documents or sites. You might have created these months ago and forgotten they exist.

• Search your settings for "public links" or "sharing links"
• Delete any you don't actively use
• Set links to expire automatically after a certain time

4. Turn Off What You Don't Need

Features like "self-registration" (letting people create their own accounts) or "API access" (letting other apps talk to your system) are convenient — but they're also attack vectors.

If you don't need them, turn them off. You can always enable them later if you find a legitimate use case.

5. Look for Weird Activity in Your Logs

Every SaaS platform keeps a record of who did what. These are called audit logs or activity logs.

Once a month, have someone check for:

• Bulk data downloads (why did someone export 10,000 customer records?)
• Logins from strange countries (why is someone logging in from Kazakhstan at 3 AM?)
• New user accounts created without approval

If you see something weird, investigate.

Related: Stop Overpaying for AI: 5 Ways Businesses Waste Money on Artificial Intelligence

What to Do If You Think Your Data Was Stolen

If you do business with companies that use Salesforce (and that's a lot of companies), your data might have been exposed in this breach. Here's what to do:

1. Check if Your Email Was Leaked

Go to https://haveibeenpwned.com and enter your email address. This free service checks if your email appeared in known data breaches.

2. Watch for Official Notifications

Companies are legally required to notify you if your data was stolen. Watch for emails or letters saying "We experienced a data breach."

Warning: Scammers know this. They'll send fake breach notification emails trying to trick you. Before clicking anything, verify it's really from the company by visiting their official website (not clicking links in the email).

3. Turn On Two-Factor Authentication (2FA)

Every important account should have 2FA. This means you need both your password AND a code from your phone to log in.

Use an authenticator app (like Google Authenticator or Microsoft Authenticator), not SMS text messages — SMS can be hijacked.

4. Be Skeptical of "Customer Service" Calls

If hackers stole your data from a company's database, they now know your name, email, phone number, and maybe your purchase history.

They might call or email pretending to be from that company. They'll sound convincing because they have real information.

The rule: Never give personal information or passwords to someone who contacts you, even if they say they're from a company you do business with. Hang up and call the official phone number from their website.

Related: How Hackers Bypass MFA in 2026: AiTM, SIM Swapping, MFA Fatigue, and Token Theft Explained

The Lesson: Security Isn't Something You Buy — It's Something You Do

The biggest mistake businesses make is thinking security works like insurance:

"I bought secure software. I'm protected."

But that's not how it works. Security is more like locking up a shop or a house:

• The builder (Salesforce, Microsoft, Google) gives you good locks
• But you still have to actually use them
• And you have to check them regularly
• Because bad guys are constantly checking if you forgot to lock something

The ShinyHunters breach wasn't a technical failure. It was a process failure. Companies weren't checking their configurations regularly. Nobody was reviewing guest user permissions. No one was monitoring for strange activity.

Good security habits matter more than good security tools. A tool that helps you find problems (like AuraInspector) is useless if you don't actually fix the problems it finds.

Related: Why Your IT Guy Isn't Enough: The Case for Dedicated Cybersecurity

What This Means for Your Business's Security Strategy

Here's the simple version of what every business needs to do:

1. Make a List of Every Online Tool You Use

You can't secure what you don't know you have. Write down:

• Email (Microsoft 365, Google Workspace)
• File storage (Dropbox, Google Drive, OneDrive)
• Customer data (Salesforce, HubSpot, Zendesk)
• Communication (Slack, Teams, Zoom)
• Accounting (Xero, QuickBooks)
• Marketing (Mailchimp, HubSpot)

2. Check the Security Settings for Each One

Go through the list. For each tool, find:

• Guest/external access settings
• Sharing permissions
• Public links
• API access settings

Set everything to "most secure" unless you have a specific reason not to.

3. Check Again Every Three Months

Security configurations don't stay secure forever. Employees change settings. New features get added. Mistakes happen.

Put a recurring calendar event: "Check SaaS security settings." Do it every quarter.

4. Train Your Team

The biggest security risk isn't hackers — it's well-meaning employees who accidentally change a setting to make their job easier, not realizing they've opened a security hole.

Teach your team:

• Why security settings matter
• What they're allowed to change
• What they need to ask permission before doing

The Bottom Line

ShinyHunters didn't hack Salesforce. They exploited forgotten doors that companies had left unlocked.

The same doors exist in Microsoft 365, Google Workspace, HubSpot, Slack, and every other online tool your business uses.

Attackers are scanning for these doors right now. The only question is whether yours is locked.

---

Not sure where to start? lilMONSTER helps small businesses audit their online tools, close security gaps, and build processes that keep data safe. Book a free consultation — we'll review your setup together and show you exactly what to fix.

FAQ

References

[1] State of Surveillance, "ShinyHunters Weaponized a Security Tool to Breach 400 Companies via Salesforce," March 18, 2026. [Online]. Available: https://stateofsurveillance.org/news/shinyhunters-salesforce-aura-400-companies-security-tool-weaponized-2026/

[2] Salesforce Security Alert, "ShinyHunters Campaign Targeting Experience Cloud Sites," March 2026. [Online]. Available: Salesforce Trust Center

[3] Help Net Security, "ShinyHunters Claims New Campaign Targeting Salesforce Experience Cloud Sites," March 11, 2026. [Online]. Available: https://www.helpnetsecurity.com/2026/03/11/shinyhunters-salesforce-aura-data-breach/

[4] IT Pro, "Salesforce Issues Customer Alert as ShinyHunters Group Claims Experience Cloud Breach," March 2026. [Online]. Available: https://www.itpro.com/security/cyber-attacks/salesforce-issues-customer-alert-as-shinyhunters-group-claims-experience-cloud-breach

[5] DataBreach.com, "Aura.com 2026 Breach — 921,000 Email Records Exposed via Salesforce Misconfiguration," March 2026. [Online]. Available: https://databreach.com/breach/aura-com-2026

[6] IBM Security, "Cost of a Data Breach Report 2025," IBM, 2025. [Online]. Available: https://www.ibm.com/reports/data-breach

[7] The Hacker News, "Threat Actors Mass-Scan Salesforce Experience Cloud via Modified AuraInspector Tool," March 2026. [Online]. Available: https://thehackernews.com/2026/03/threat-actors-mass-scan-salesforce.html

[8] Salesforce Ben, "ShinyHunters Breach 400 Companies via Salesforce Experience Cloud," March 2026. [Online]. Available: https://www.salesforceben.com/shinyhunters-breach-400-companies-via-salesforce-experience-cloud/

[9] Bleeping Computer, "ShinyHunters Claims Ongoing Salesforce Aura Data Theft Attacks," March 2026. [Online]. Available: https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/

[10] Cyber Insider, "ShinyHunters Claims Hundreds of Victims in New Salesforce Aura Campaign," March 2026. [Online]. Available: https://cyberinsider.com/shinyhunters-claims-hundreds-of-victims-in-new-salesforce-aura-campaign