Salesforce is urging its customers to review their Experience Cloud ‘guest’ configurations as cybercrime group ShinyHunters claims a new campaign involving data theft and extortion tied to exposed Salesforce environments.
The group recently posted screenshots on its leak site claiming breaches of “several hundreds” of organizations, including around 400 websites and roughly 100 “high profile companies.” The claims come amid a broader campaign targeting Salesforce deployments through misconfigured public-facing portals, rather than vulnerabilities in the platform itself.
In a new blog post, Salesforce warned that attackers are exploiting overly permissive guest user settings in Experience Cloud environments to harvest data that organizations never intended to expose. “Our Cyber Security Operations Center (CSOC) has been monitoring a campaign by a known threat actor group,” the company said without identifying the actor. “Evidence indicates the threat actor is leveraging a modified version of the open-source tool Aura Inspector (originally developed by Mandiant) to perform mass scanning of public-facing Experience Cloud sites.”
The ShinyHunters post, which came hours after the Salesforce warning, called the new campaign “Salesforce Aura Campaign.”
The warning lands against a backdrop of earlier incidents attributed to ShinyHunters, which, since mid-2025 has targeted Salesforce instances through phishing, social engineering, and abuse of integrations. In some cases, these attacks led to millions of records being compromised.
Overly permissive guest access
The warning concerns the Salesforce Experience Cloud platform used by organizations to build public portals for customers, partners, and communities. These sites rely on a shared “guest user profile” that allows unauthenticated visitors to view certain information.
When configured correctly, that profile exposes only the minimal data required for the site to function. But if permissions are too broad, attackers can directly query backed CRM objects, effectively pulling data without needing credentials.
According to Salesforce, threat actors are automating this process using a modified version of Mandiant’s open-source AuraInspector tool, which probes the “/s/sfsites/aura” API endpoint exposed by Experience Cloud sites. In the attacker-altered form, the tool moves beyond detection and actively extracts accessible data.
Jason Soroko, senior fellow at Sectigo, described the approach as the “path of least resistance” for attackers. Rather than engineering sophisticated exploits, he said, threat actors increasingly target configuration gaps where “a single overly permissive guest setting leaves the data accessible to anyone who asks.”
According to the advisory, the campaign specifically targets environments where three conditions exist. These include instances with guest profiles having excessive object or field permissions, organization-wide default access for external users is not set to private, and guest users are allowed to access public APIs. These conditions allow attackers to query data through Experience Cloud guest profiles.
Why Salesforce environments make tempting targets
Salesforce deployments are particularly attractive because of the sensitive data they hold and the complexity of their access models.
“Salesforce instances often contain highly sensitive customer data, including credentials and secrets that can be used for lateral movement,” said Vincenzo Lozzo, CEO and cofounder of SlashID. At the same time, he added, the platform’s layered permissions architecture, including profiles, permissions sets, sharing rules, and integrations, which are not very well understood and can make accidental overexposure easy.
The attack surface expands further when organizations connect Salesforce with third-party applications and APIs. “Trust relationships, and long-lived and poorly monitored credentials grant access to treasure troves of systems and data,” said Trey Ford, chief strategy and trust officer at BugCrowd. Once attackers compromise a trusted integration, he noted, it can create cascading risk across the entire ecosystem. Salesforce guidance focuses on tightening the responsible configuration controls. Recommended steps include auditing guest user permissions, disabling public API access where possible, restricting object visibility, and enforcing least-privilege access.