John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
You can do everything right. Patch your systems, train your people, run the tabletop exercises. And then one of your vendors gets breached and your data walks out through their door.
Three supply chain breach stories dropped this week. Each one is a different flavor of the same ugly problem.
ShinyHunters and Your Salesforce Config
ShinyHunters is back. The same crew behind the Snowflake breach campaign and the Ticketmaster and Santander incidents now claims 300 to 400 organizations compromised through Salesforce Experience Cloud misconfigurations.
This isn’t a Salesforce platform vulnerability. It’s a customer config issue. Overly permissive guest user profiles let unauthenticated queries hit CRM objects through the /s/sfsites/aura API endpoint. ShinyHunters automated the whole thing with a modified version of AuraInspector, originally built by Mandiant for legit security auditing. They even found a way to bypass GraphQL’s 2,000-record query cap by abusing the sortBy parameter.
Among the alleged victims? Companies in the cybersecurity sector. Because misconfiguration doesn’t care about your brand.
If you run Salesforce Experience Cloud, here’s what Salesforce themselves say to do right now:
- Audit guest user permissions. Strip them to the absolute minimum.
- Set org-wide defaults to Private for external access.
- Turn off Portal User Visibility and Site User Visibility.
- Disable self-registration unless you truly need it.
- Kill guest access to public APIs.
- Check your Aura Event Monitoring logs.
Do it this week. Not next sprint.
3.4 Million Patients, 10.5 Months of Silence
TriZetto Provider Solutions, a Cognizant subsidiary, disclosed a breach affecting 3,433,965 people. Names, addresses, dates of birth, Social Security numbers, Medicare IDs, health insurance numbers, provider names, insurer names. That’s basically the worst combination of personal data you can lose in one shot.
Unauthorized access started November 19, 2024. It wasn’t detected until October 2, 2025. That’s nearly a full year of someone sitting in a healthcare web portal and nobody noticing.
And Cognizant’s track record? Maze ransomware in 2020. Scattered Spider social engineering that led to the Clorox breach in 2023. Clorox sued them for $380 million in gross negligence. Now this.
If you got a breach notification from TriZetto, the combo of SSN plus Medicare identifiers is serious. Consider a credit freeze. The free monitoring they’re offering is a start, but a freeze is a stronger move.
Ericsson: Short on Details, Long on Pattern
Ericsson’s U.S. subsidiary disclosed a breach from a hacked third-party provider. Employee and customer data exposed. No details on how many people, which vendor, or what data types.
On its own, it’s a thin story. But Ericsson is a critical telecom supplier globally. When a company in that supply chain gets breached through a vendor, the trust chain question gets bigger than one incident.
Same Problem, Three Angles
ShinyHunters exploited a SaaS config error. TriZetto had unauthorized access for nearly a year before anyone caught it. Ericsson lost data because one of their own vendors got popped.
In every case, the victims didn’t necessarily screw up themselves. They trusted a platform, a subsidiary, or a vendor. And that trust was the weak point.
Your security posture is only as strong as the weakest link in the chain of organizations touching your data. Asking vendors to fill out a security questionnaire once a year doesn’t fix that. Demanding real, tested evidence of security maturity is the minimum bar.
The supply chain isn’t some abstract concept. It’s the pile of companies that have your data and whose security practices you’re betting on. This week was a reminder that the bet doesn’t always pay.