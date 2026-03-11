Salesforce has warned users of an uptick in threat actor activity targeting Experience Cloud customers’ who have accidentally enabling overly permissive guest user configurations.

Salesforce stressed that the attacks were not the result of any known flaws in its product but rather the result of misconfigurations during the setup process.

Exploitation of these misconfigurations appears to be the work of the ShinyHunters operation which, along with a loosely affiliated network of hackers, caused chaos during the summer of 2025 in a social engineering campaign. Its prior activity targeted Salesforce clients’ Data Loader application used for bulk movement of data records via voice phishing calls.

In a statement posted at the weekend, Salesforce said: “Our Cyber Security Operations Center [CSOC] has been monitoring a campaign by a known threat actor group. Evidence indicates the threat actor is leveraging a modified version of the open source tool Aura Inspector – originally developed by Mandiant – to perform mass scanning of public-facing Experience Cloud sites.

“While the original Aura Inspector is limited to identifying vulnerable objects by probing API endpoints that these sites expose, specifically the /s/sfsites/aura endpoint, the actor has developed a custom version of the tool capable of going beyond identification to actually extract data – exploiting overly permissive guest user settings.”

The Salesforce team explained that in a publicly accessible Experience Cloud site, a visitor will share a guest user profile that typically enables them to view data that might be reasonably made public as an unauthenticated user.

The issue arises if these profiles are configured with enhanced privileges enabling a visitor – or cyber criminal – to directly query Salesforce CRM objects without having logged in. This setup is ill-advised and runs contrary to Salesforce’s suggested configuration guidance.

Mandiant confirmed it was aware of the issue and has said it is actively working with Salesforce.

Salesforce did not directly point to ShinyHunters itself, rather the group itself claimed – via The Register – that it had hit almost 400 websites and 100 tech companies, including the likes of AMD, LastPass, Okta, Snowflake and Sony, over a period of several months.

KnowBe4 lead CISO adviser Javvad Malik commented: “This is another case of simple misconfigurations wrecking havoc across organisations. We’ve seen many minor misconfigurations in cloud environments which cause data to be exposed.

“It is why a strong security culture across organisations is important, so that everyone plays their part in keeping data secure, especially when it comes to cloud services which many people often assume to be secure. All settings need to be regularly reviewed, ensuring principle of least-privilege is adhered to, and robust monitoring and alerting is put in place.”