Threat actors are exploiting misconfigured Salesforce Experience Cloud guest user settings to steal sensitive customer data. Salesforce states this is due to customer configuration errors, not a vulnerability in its platform. The attackers use a modified tool to scan and extract data from publicly accessible sites with overly permissive profiles. Salesforce has provided recommendations for customers to audit and secure their configurations. The article also notes a recent increase in prominent threat campaigns targeting Salesforce instances due to the valuable data they hold.
'Overly Permissive' Salesforce Cloud Configs in the Crosshairs
Some customers have mishandled guest user configurations otherwise intended to allow third-party access to important — and sensitive — client data.
Threat actors are exploiting "customers' overly permissive" Salesforce Experience Cloud guest user configurations to steal sensitive data, Salesforce Security said in a March 7 blog post.
Salesforce said this issue is unrelated to a vulnerability inherent to its platform and that Salesforce remains secure. "Our investigation to date confirms that this activity relates to a customer-configured guest user setting," the blog post read.
Salesforce instances have faced a wide range of campaigns over the past year or so. Most prominently, financially motivated threat groups including ShinyHunters targeted Salesforce instances through social engineering attacks that began last summer. Federal law enforcement ultimately shuttered a dedicated extortion site tied to the campaign, but even then, attacks apparently continued.
In a second distinct threat campaign last year, an actor known as Scattered Lapsus$ Hunters (supposedly combining Scattered Spider, Lapsus$, and ShinyHunters) reportedly stole a wide range of data belonging to dozens of Salesforce customers before using it to extort them. And these campaigns were separate from the Salesloft Drift supply chain attack from the summer of 2025.
In order to address the issue laid out in Salesforce's blog post, the CRM giant made multiple recommendations for customers to check for and protect themselves against compromise.
Attackers Steal Salesforce Customer Data
In its blog post, Salesforce says an unidentified "known threat actor group" has been leveraging a modified version of the open-source tool Aura Inspector to mass scan public-facing Experience Cloud sites. While Aura Inspector originally only identified vulnerable objects through probing API endpoints that sites expose, "the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings," the vendor noted.
"In a publicly accessible Salesforce Experience site, anonymous visitors share a 'guest user profile.' Typically this is used to allow an unauthenticated user access to view data that is expected to be made publicly available," Salesforce explained. "However, if this profile is misconfigured with excessive permissions, data that is not intended to be made public may be accessible, allowing a threat actor to directly query Salesforce CRM objects without logging in."
Salesforce declined to share any threat actor attribution with Dark Reading, though ShinyHunters apparently has taken credit for some attacks.
Experience Cloud customers are considered "at risk" if they are using the guest user profile and have configured permissions to allow public access to objects and fields not intended to be available according to Salesforce's recommended configuration guidance. Follow-on activity has consisted of targeted social engineering (including voice phishing) attacks, which is in line with ShinyHunters' MO.
Due to the risk posed by this campaign, Salesforce urged Experience Cloud customers to audit guest user configurations, set company-wide defaults to "private," disable public APIs, restrict visibility, disable self-registration if not required, regularly review event monitoring logs, and add a security contact. Instructions for all these recommendations are in the blog.
More Threats Against Salesforce Instances
Because CRMs inherently hold valuable data and because of Salesforce's dominance in that sector, it's no surprise that threat actors are targeting Salesforce customers. However, it is notable that so many prominent campaigns have taken root in so short a time.
Louis Eichenbaum, federal chief technology officer (CTO) at microsegmentation security vendor ColorTokens, tells Dark Reading that these attacks are increasing because attackers have identified that "they are easy [to conduct] and Salesforce stores a very large amount of sensitive data."
He adds that when organizations enable Experience Cloud, the platform automatically creates a guest user profile, which allows unauthenticated users to access the site. "I would recommend that Salesforce disable the automatic creation of guest user profiles and let organizations decide if they want to create a guest account," Eichanbaum says.
Trey Ford, chief security and trust officer at Bugcrowd, explains that platform ecosystems are hard to secure because they're compromised through exploiting trust relationships and poorly managed credentials, particularly via third-party integrations and non-human identities (NHI).
"Over the last five to 10 years we've seen a number of SaaS security startups specifically aimed at permissions for human and NHI accounts, the scope of permissions applied, and the age and usage of those credentials," Ford says. "Companies need to review those integrations and account access patterns, and take steps to harden their usage, apply IP integration limits where possible, and use the latest reference patterns for authentication and authorization for their integrations."
Meridiano
