Salesforce confirmed March 10 that an ongoing campaign exploiting organizations running publicly accessible or misconfigured Salesforce Experience Cloud sites was done by the ShinyHunters cybercrime group.In its original March 7 post on the case, Salesforce did not identify the actor — they were also adamant that this incident was not because of an exploited vulnerability on its platform, but a misconfiguration.“Our investigation to date confirms that this activity relates to a customer-configured guest user setting, not a platform security flaw,” the Salesforce blog said. “We are publishing this guidance to help our customers assess and take appropriate action to secure their environment.”Amir Khayat, co-founder and CEO or Vorlon, pointed out that the incident around the Experience Cloud misconfiguration affected hundreds of companies — and extortion demands are well in motion.
Related reading:
“Salesforce has been consistent on the point that this isn't a platform vulnerability, and they're right,” said Khayat. “What attackers found is that a large number of customer-configured Experience Cloud sites had guest user permissions set too broadly, then built tooling specifically to scan for and exploit that at scale across hundreds of organizations simultaneously.”Denis Calderone, CTO and Principal at Suzu Labs, added that ShinyHunters have been systematically targeting Salesforce instances since mid-2025, and this incident represents the next evolution.Calderone said last time, the attackers vished their way into Okta SSO credentials and exploited third-party integrations like Gainsight. Since then, Calderone said they've gone even more direct, using a weaponized version of the Mandiant-developed Aura Inspector tool to mass-scan Experience Cloud sites for misconfigured guest user permissions.“They don't even need credentials for this one,” said Calderone. “If the guest user profile has excessive permissions on the /s/sfsites/aura endpoint, they're already in. What makes this frustrating is that Salesforce is right: this isn't a platform vulnerability. It's a configuration problem. But calling it a customer misconfiguration doesn't change the fact that hundreds of organizations apparently got it wrong.”Louis Eichenbaum, Federal CTO at Color Tokens, added that the core issue revolves around SaaS configuration risk. Public portals designed for customer or partner access can inadvertently expose internal data when guest permissions, sharing rules, or API access are misconfigured, said Eichenbaum.“Attackers are exploiting these weaknesses at scale,” said Eichenbaum. “Organizations should lock down this access and only open if necessary. “Companies must treat SaaS platforms as part of their broader security architecture and apply zero-trust principles, phishing-resistant multi-factor identity controls, and continuous configuration monitoring to prevent data exposure.”Salesforce offered these tips to security teams:
- Audit all Experience Cloud guest user profiles and strip permissions down to absolute minimum.
- Disable public API access for guest users.
- Check Aura event monitoring logs for unusual query volumes or access to objects that shouldn't be public.
- Assume that the company’s been scanned. The threat actors aren’t picking targets carefully here, they're running automated tooling against everything they can find.
