< ciso
brief />
Tag Banner

All news with #salesforce tag

86 articles

Klue OAuth breach expands as Icarus claims attack

๐Ÿ”’ Klue confirmed an incident on June 12 in which attackers used a compromised legacy credential to obtain OAuth tokens connecting Klue to third-party platforms, including Salesforce. The company says customer content stored in Klue was not impacted and that the breach was limited to integrations; affected credentials and tokens were revoked and CrowdStrike engaged. Cybersecurity firms ReliaQuest and Huntress reported extensive Salesforce data exfiltration, and the Icarus extortion group has publicly claimed responsibility.
read more โ†’

Salesforce disables Klue app after OAuth breach

๐Ÿ”’ Salesforce has disabled the Klue Battlecards app integration after unusual activity tied to a Klue security incident on June 11, 2026, which may have allowed unauthorized access to some customer data. Klue says attackers used a compromised legacy credential to obtain OAuth tokens and access connected third-party platforms, while Salesforce emphasizes the issue stemmed from the app connection and not its platform. Klue and customers like Huntress are investigating, revoking tokens, and remediating impacts.
read more โ†’

Infinite Campus Salesforce Breach Exposes Staff Data

๐Ÿ”’ Infinite Campus disclosed a Salesforce data theft in March that exposed personal information for school staff across its Kโ€‘12 customer base. The attacker, linked to groups known for targeting Salesforce instances, allegedly leaked a 1.2GB archive. Have I Been Pwned found data from 137,100 accounts, including names, emails, job titles and contact details. Infinite Campus said most exposed items appear to be directory information commonly published by schools.
read more โ†’

Charter Communications breach exposes 4.9M accounts

๐Ÿ”’ The ShinyHunters extortion gang claims to have stolen personal details from 4.9 million Charter Communications accounts after a vishing attack in early April that compromised an employee's Microsoft Entra account. Charter confirmed the incident but says no sensitive PII or CPNI was exfiltrated, while Have I Been Pwned verified leaked records containing names, emails, addresses, phone numbers and some job titles. The group published stolen Salesforce data after a ransom was refused.
read more โ†’

Charter Confirms Breach After ShinyHunters Extortion

๐Ÿ”’ Charter Communications confirmed a data breach after the ShinyHunters extortion group claimed to have stolen millions of customer records. The company says it is notifying authorities and maintains that No sensitive personal information (PI) or CPNI was exfiltrated. ShinyHunters alleges the intrusion began via a vishing attack that compromised an employee's Microsoft Entra account and allowed access to Salesforce data.
read more โ†’

7โ€‘Eleven Breach Exposes Personal Data of 185K

๐Ÿ” 7โ€‘Eleven disclosed that an unauthorized party accessed franchisee document systems on April 8, 2026, resulting in a data theft. Have I Been Pwned analyzed the leaked files and found 185,300 unique email addresses and accompanying personal details, including names, dates of birth, phone numbers, and physical addresses. The ShinyHunters extortion gang claimed responsibility after publishing a large archive they said came from 7โ€‘Eleven's Salesforce environment.
read more โ†’

7-Eleven Confirms Data Breach Claimed by ShinyHunters

๐Ÿ”’ 7-Eleven disclosed that an unauthorized party accessed systems used to store franchisee documents on April 8, 2026, and began notifying affected individuals on May 1. The company has not provided details on the number of affected people or specific data types exposed. The extortion group ShinyHunters claimed responsibility on April 17, alleging the theft of over 600,000 records from the company's Salesforce environment and later leaking a 9.4GB archive after ransom talks failed. 7-Eleven said it launched an investigation but has not commented further.
read more โ†’

ADT Breach: ShinyHunters Exposes 5.5M Records, Partial IDs

๐Ÿ”’ ShinyHunters stole personal data for about 5.5 million ADT customers and posted an 11GB archive on a dark web leak site after a failed extortion. ADT says it detected the intrusion on April 20 and that accessed information was largely limited to names, phone numbers, and addresses, with a small number of records including DOBs and last-four SSNs/Tax IDs. The group claims the attack began with a vishing compromise of an employee's Okta SSO account that enabled theft from the company's Salesforce instance; ADT reports no payment data or customer security systems were affected.
read more โ†’

ADT Confirms Customer Data Breach After ShinyHunters Threat

๐Ÿ”’ ADT confirmed unauthorized access to customer and prospective customer data detected on April 20, saying it terminated the intrusion and opened an investigation. The company reported that stolen information was limited to names, phone numbers, and addresses, with a small subset including dates of birth and the last four digits of SSNs or Tax IDs. ADT emphasized no payment data or customer security systems were affected. ShinyHunters claims over 10 million records were taken after a vishing attack that allegedly compromised an employeeโ€™s Okta SSO and accessed Salesforce data.
read more โ†’

Copilot and Agentforce Vulnerable to Prompt Injection

๐Ÿ” Capsule Security researchers discovered prompt-injection flaws in Microsoft Copilot Studio and Salesforce Agentforce that allow attackers to inject malicious instructions via standard input fields. In Copilot, a crafted payload in a SharePoint form field can overwrite agent instructions and exfiltrate SharePoint data; Microsoft has released a patch (CVE-2026-21520). In Agentforce, attackers can embed directives in public lead forms that an agent with email or query capabilities may execute, enabling broad CRM data leakage.
read more โ†’

McGraw Hill Salesforce Misconfiguration Exposes 13.5M Accounts

๐Ÿ”’ The ShinyHunters extortion group has published data tied to 13.5 million McGraw Hill user accounts after exploiting a misconfiguration in a Salesforce-hosted webpage. McGraw Hill confirmed unauthorized access to a limited set of data and said its internal systems, courseware and customer databases were not affected. Leaked files โ€” over 100GB by Have I Been Pwned โ€” contain names, email addresses, phone numbers and physical addresses that could be used for targeted spearโ€‘phishing.
read more โ†’

Prompt-Injection Flaws in Copilot Studio and Agentforce

โš ๏ธ Security researchers at Capsule Security disclosed prompt-injection vulnerabilities in Microsoft Copilot Studio and Salesforce Agentforce that let attackers embed malicious instructions in public form fields. Crafted inputs submitted via SharePoint or lead forms can override agent instructions and trigger data exfiltration to attacker-controlled endpoints. Microsoft patched the SharePoint-related issue (CVE-2026-21520) with a 7.5 CVSS score; Salesforce acknowledged the problem but described the vector as configuration-specific. Researchers warn that treating external inputs as trusted undermines autonomous agent security and urge input validation, least-privilege, and stricter outbound controls.
read more โ†’

McGraw-Hill Confirms Limited Data Exposure via Salesforce

๐Ÿ”’ McGraw-Hill says unauthorized actors accessed a limited set of data hosted on a Salesforce webpage after a platform misconfiguration. The company emphasized this did not involve unauthorized entry to its Salesforce accounts, customer databases, courseware, or internal systems, and that exposed information was non-sensitive. McGraw-Hill secured the pages, engaged external cybersecurity experts, and is working with Salesforce to strengthen protections amid an extortion claim by ShinyHunters.
read more โ†’

Infinite Campus Warns of Salesforce Breach, Extortion

๐Ÿ”’ Infinite Campus warned customers of a data breach following an extortion claim from a threat actor who said they accessed an employee's Salesforce account. The company says the exposed information appears to be primarily public directory data for school staff and that no customer databases were accessed. Infinite Campus declined to engage with the attacker and has disabled certain customer-facing services while scanning potentially affected records and notifying impacted districts.
read more โ†’

Nordstrom Email System Used to Send Cryptocurrency Scams

๐Ÿ“ง Customers of upscale retailer Nordstrom received fraudulent emails sent from a legitimate nordstrom@eml.nordstrom.com address that promoted a cryptocurrency doubling scheme disguised as a St Patrick's Day promotion. The messages used official-looking images and branding and pressured recipients with a two-hour deadline. A source told BleepingComputer the incident likely involved an Okta SSO compromise leading to abuse of Salesforce Experience Cloud. Nordstrom warned the messages were unauthorized and advised customers not to send funds.
read more โ†’

Overly Permissive Guest Settings Threaten Salesforce Data

โš ๏ธ Salesforce is urging customers to review Experience Cloud guest configurations after a reported campaign tied to the cybercrime group ShinyHunters that claims breaches of hundreds of organizations. Attackers are exploiting overly permissive guest user settings and a modified version of the open-source Aura Inspector to scan the /s/sfsites/aura endpoint and extract data. Salesforce recommends auditing guest profiles, disabling public API access for guest users, restricting object visibility, and enforcing least-privilege.
read more โ†’

ShinyHunters Harvests Data from Hundreds of Public Sites

๐Ÿ”’ Salesforce has urged Experience Cloud customers to audit configurations after the ShinyHunters group reportedly stole data from hundreds of sites by exploiting overly permissive guest user settings. Attackers used a customized fork of the open-source Aura Inspector to mass-scan the /s/sfsites/aura API endpoint, identify exposed CRM objects and extract contact details. Salesforce stressed this is a customer configuration issue, not a platform vulnerability, and recommended immediate audits and permission tightening.
read more โ†’

Threat Actors Mass-Scan Salesforce Experience Cloud Sites

๐Ÿ”Salesforce has warned that a threat actor is using a customized version of the open-source tool AuraInspector to mass-scan publicly accessible Experience Cloud sites and exploit overly permissive guest user configurations. The modified tool can both identify vulnerable API endpoints and extract data from misconfigured environments without authentication. Salesforce says the activity targets customer configuration weaknesses rather than a platform flaw and urges customers to review guest user settings and follow recommended configuration guidance.
read more โ†’

ShinyHunters Claims Ongoing Salesforce Aura Data Theft

๐Ÿ”’ Salesforce warns customers that attackers are targeting misconfigured Experience Cloud sites by abusing the /s/sfsites/aura API, allowing guest users to access more data than intended. Threat actors have used a modified AuraInspector scanner and bespoke exfiltration tools; the extortion group ShinyHunters claims responsibility and reports hundreds of compromises. Salesforce stresses this stems from customer guestโ€‘user settings, not a platform vulnerability, and provides immediate mitigation guidance.
read more โ†’

Python libraries for Hugging Face models enable RCE

โš ๏ธ Researchers at Palo Alto Networks' Unit 42 disclosed critical weaknesses in the NeMo, Uni2TS and FlexTok Python libraries used with Hugging Face models, where malicious code can be hidden in model metadata and executed automatically when a manipulated file is loaded. The root cause is the use of Hydra's instantiate(), which accepts arbitrary callables and arguments and can therefore permit remote code execution if metadata is untrusted. Vendors including NVIDIA, Salesforce and the maintainers of FlexTok have issued fixes and CVE assignments; users should upgrade affected libraries and audit models before loading.
read more โ†’