⚡ Key Takeaways

ShinyHunters claimed on April 12, 2026 to have exfiltrated 30+ million Salesforce records from US real estate brokerage Marcus & Millichap, with an April 14 extortion deadline. The attack fits a pattern: 300-400 organizations compromised between summer 2025 and March 2026 via Salesforce guest-user misconfigurations (AuraInspector), OAuth Device Flow vishing, and connected-app token abuse. 84.8% of CISOs in the 2026 CISO Report consider their tools inadequate for detecting OAuth token abuse.

Bottom Line: Enterprises running Salesforce should disable Guest User ‘API Enabled’ permissions this week, audit Connected Apps, enforce FIDO2 MFA for admins, and add SaaS Security Posture Management to the 2026 security budget.

Read Full Analysis ↓

Advertisement

🧭 Decision Radar

Relevance for Algeria
Medium
Salesforce adoption in Algeria is concentrated in banking, telecom, oil and gas multinationals, and regional offices of international firms. Local SMBs use Salesforce less, but the OAuth/SSPM lessons apply to HubSpot, Zoho, Odoo, and any multi-tenant SaaS.
Infrastructure Ready?
Partial
Most Algerian Salesforce tenants have basic SSO but lack SSPM, FIDO2 admin keys, and Event Monitoring integration. Experience Cloud sites are rare but OAuth abuse applies to any SaaS.
Skills Available?
Limited
SaaS security is a new specialty globally. Algerian security teams still orient around perimeter and endpoint; dedicated SaaS security engineers are rare.
Action Timeline
Immediate
Guest user misconfigurations and dormant OAuth apps can be audited this week. SSPM and FIDO2 rollouts fit a 6-month roadmap.
Key Stakeholders
CISOs, SaaS admins, IAM teams,
Decision Type
Tactical
Specific SaaS hardening measures driven by an active, well-documented threat actor campaign.

Quick Take: Algerian enterprises running Salesforce, HubSpot, or other major SaaS should audit Connected App OAuth consent and guest user permissions this week, enforce FIDO2 for SaaS admins in the next quarter, and add SaaS Security Posture Management to the 2026 security budget. Banking and telecom CRM owners should treat this as immediate.

What Happened to Marcus & Millichap

Marcus & Millichap, Inc. (NYSE: MMI), one of the largest US commercial real estate brokerages, was listed on the ShinyHunters leak site on April 12, 2026. The group claimed access to more than 30 million Salesforce records containing personally identifiable information and internal corporate data, and set a final ransom deadline of April 14, 2026 before publishing or selling the data.

The attack followed the now-standard ShinyHunters method: exploit a misconfigured Salesforce environment or OAuth flow, exfiltrate CRM data using Salesforce’s own Data Loader tooling, and extort the victim on threat of publication. No Salesforce product vulnerability was required — the attackers exploited how Marcus & Millichap’s Salesforce tenant was configured.

The Marcus & Millichap incident sits inside a far larger campaign. In March 2026, ShinyHunters had already claimed breaches of McGraw-Hill (45 million records via Salesforce misconfiguration), Rockstar Games, and reportedly Cisco CRM. By the same month, the group claimed 300 to 400 organizations compromised via Salesforce, of which approximately 100 were high-profile.

How ShinyHunters Actually Breaches Salesforce

Drawing from Help Net Security, Mitiga, Varonis, Safestate, and Security Boulevard forensic write-ups, ShinyHunters runs three main attack patterns against Salesforce tenants:

1. Experience Cloud (Aura) Guest User Misconfiguration

Salesforce Experience Cloud sites (formerly Community Cloud) built on the Aura framework allow a “Guest User” profile with default permissions. Misconfigured guest profiles — specifically, the API Enabled permission left on — let any unauthenticated visitor query Salesforce objects via anonymous API calls.

ShinyHunters built and used an open-source tool called AuraInspector to automate this discovery across thousands of Experience Cloud sites. Once a site with overly permissive guest access is found, the tool enumerates accessible objects and pulls records.

2. OAuth Device Flow Abuse via Vishing

For tenants without exposed guest profiles, the group pivots to social engineering. The OAuth Device Flow is designed for devices without browsers (smart TVs, CLI tools) — a victim visits a verification URL, enters a short code, and authorizes the app.

ShinyHunters abuses this by:

  • Running Salesforce Data Loader locally, configured to initiate OAuth Device Flow.
  • Generating the 8-character verification code.
  • Placing a vishing call to an English-speaking Salesforce admin, impersonating IT support or a vendor.
  • Directing the victim to Salesforce’s verification URL and dictating the code.
  • Upon victim approval, Salesforce issues an access token to the attacker’s Data Loader instance.
  • Silent, paced exfiltration of CRM data in small chunks to avoid triggering anomaly detection.

3. OAuth-Connected App Abuse (Salesloft / UNC6040)

ShinyHunters and the adjacent cluster UNC6040 (per Mitiga) compromised third-party apps connected to Salesforce via OAuth — notably Salesloft — and used those persistent tokens to query Salesforce tenants downstream.

Advertisement

Why Detection Lags

The Salesforce API Enabled permission is visible in every tenant’s admin console. OAuth-connected apps appear in every Connected App audit list. Yet breach after breach lands on ShinyHunters’ leak site because:

  • OAuth token abuse is invisible to legacy SIEMs. The 2026 CISO Report found 84.8% of CISOs consider their security tools inadequate for detecting OAuth token or API key abuse.
  • SaaS security tooling is fragmented. CASBs, SSPM, and SaaS-native logs rarely correlate into a single timeline.
  • Social engineering defeats controls. A vishing call convinces a legitimate admin to authorize the attacker. Every IAM control downstream then behaves “correctly.”
  • Data Loader is a legitimate tool. Exfiltration looks like a normal integration job.

The SaaS Lockdown Playbook

Consolidated from Varonis, Help Net Security, Apex Hours, and vendor guidance from Salesforce itself, prioritized for immediate action:

Immediate (this week)

  1. Disable “API Enabled” in Guest User Profile on every Experience Cloud site. Setup → Guest User Profile → System Permissions → uncheck. This is the single most impactful control against AuraInspector-style attacks.
  2. Audit all Connected Apps with OAuth access. Setup → Apps → Connected Apps OAuth Usage. Revoke any unrecognized or dormant apps. Re-authorize only the ones you actively need.
  3. Enforce Salesforce API Access Control. Restrict which users and which IP ranges can call Salesforce APIs. Production admin access should be IP-allowlisted to corporate ranges and VPN.

30-Day

  1. Rotate and shorten OAuth token lifetimes. Reduce refresh token TTL to the minimum your integrations tolerate. Force re-auth on suspicious sessions.
  2. Enforce phishing-resistant MFA for all Salesforce admins. FIDO2 hardware keys, not SMS. Vishing attacks depend on talking a target through a code; FIDO2 requires the attacker to possess the physical key.
  3. Deploy SaaS Security Posture Management (SSPM). Tools like AppOmni, Obsidian, Grip, or Wing Security continuously audit Salesforce configuration and flag drift.
  4. Integrate Salesforce Event Monitoring into your SIEM. Watch for unusual Data Loader runs, bulk API pulls, and off-hours API activity.

Strategic (90-day+)

  1. Build a SaaS incident response runbook. SaaS IR differs from on-prem IR: no endpoint to isolate, logs held by the vendor, and the victim cannot “pull the network cable.” Rehearse token revocation, bulk session kill, and vendor escalation paths.
  2. Train against vishing. Red-team exercises that simulate a Salesforce admin vishing call, with the admin being the blue-team target. Measure who approves the fake OAuth request.
  3. Consolidate SaaS identity under SSO with strict conditional access. Salesforce, HubSpot, Workday, ServiceNow — every SaaS behind the same identity provider with device posture, geolocation, and step-up authentication rules.

What This Means Globally

ShinyHunters’ Salesforce campaign is the most instructive cyber incident of 2025-2026 because it attacks the operational reality of modern enterprises: CRM is the source of truth for customer data, and SaaS security is still treated as the vendor’s problem. It is not. Configuration, identity, and OAuth governance are the customer’s responsibility.

Every enterprise running Salesforce — and by extension every large SaaS tenant — has the same exposure surface. The Marcus & Millichap case will not be the last. Organizations that invest now in SSPM, FIDO2, and SaaS IR rehearsal will be on the shortlist of those that avoid the leak site in 2027.

Follow AlgeriaTech on LinkedIn for professional tech analysis Follow on LinkedIn
Follow @AlgeriaTechNews on X for daily tech insights Follow on X

Advertisement

Frequently Asked Questions

Did ShinyHunters exploit a Salesforce product vulnerability?

No. Every public incident traces to customer-side configuration (Guest User permissions), social engineering (OAuth Device Flow vishing), or third-party connected app compromise (Salesloft-style supply chain). Salesforce has patched Aura-related issues but the exploitable pattern is permissive defaults kept by customers. This is a shared-responsibility-model failure.

How should enterprises detect an active ShinyHunters-style intrusion?

Monitor Salesforce Event Monitoring for: unusual bulk API reads, Data Loader sessions from unexpected IPs, new OAuth app authorizations, and off-hours admin activity. Integrate these into your SIEM with playbooks that automatically revoke tokens and lock sessions. Without Event Monitoring, detection is near-impossible.

Does paying the ransom prevent the data from being leaked?

Historical evidence across ShinyHunters victims suggests paying does not reliably prevent leaks, and can fund further campaigns. FBI and most national CERTs advise against payment. Organizations should plan for the public-disclosure scenario regardless of payment decision — customer notification, regulatory filings, and reputational response should be rehearsed.

Sources & Further Reading