Salesforce says ShinyHunters is exploiting misconfigured Experience Cloud sites, not a platform flaw
5 min. read 
Published on
Salesforce is warning customers that ShinyHunters is actively targeting public-facing Experience Cloud sites with overly permissive guest user settings. The company says the campaign does not rely on a vulnerability in Salesforce itself. Instead, attackers abuse customer misconfigurations that expose more data than intended to unauthenticated visitors.
According to Salesforce Security, the threat actors use a modified version of Aura Inspector, an open-source tool originally developed by Mandiant, to mass-scan public Experience Cloud sites. Salesforce says the original tool could identify exposed objects through the /s/sfsites/aura endpoint, while the actor’s custom version can go further and extract data when guest user permissions are too broad.
That makes this a configuration-driven data exposure issue, not a software exploit in the usual sense. Salesforce says a customer is at risk when the site uses a guest user profile and that profile allows public access to objects or fields that were never meant to be public. In those cases, attackers can query Salesforce CRM objects without logging in.
The warning carries extra weight because Salesforce updated its guidance on March 11, 2026 after finding additional configuration scenarios that could expose data. The company says harvested information such as names and phone numbers can support follow-on social engineering and voice phishing attacks, which matches the wider pattern already seen in ShinyHunters-linked campaigns.
Reports from multiple outlets say ShinyHunters has claimed responsibility for the campaign and alleged it stole data from hundreds of sites and around 100 high-profile companies. Those figures come from the threat actor’s own claims and outside reporting, not from Salesforce validation, so they should be treated as unverified attacker assertions.
How the exposure happens
Salesforce says Experience Cloud relies on a four-layer security model: object access, record access, field-level security, and field value masking. If any of those layers are configured too broadly for guest users, an unauthenticated visitor may gain access to data that should stay private.
This is why the problem can look harmless at first and still become serious. A site may work as intended on the surface, yet a guest profile with excessive permissions can still expose backend CRM data through the Aura endpoint. Salesforce says attackers do not need credentials if those guest permissions are too open.
What Salesforce wants customers to do now
| Action | Why it matters |
|---|---|
| Audit guest user profiles | Removes access to objects and fields that public visitors do not need |
| Set external defaults to Private | Prevents guest users from seeing records unless sharing rules allow it |
| Disable guest access to public APIs | Salesforce calls this the highest-impact single change |
| Disable API Enabled in guest profile | Further closes off unauthenticated querying paths |
| Turn off Portal User Visibility and Site User Visibility | Stops guest users from enumerating internal users |
| Disable self-registration if not needed | Reduces the chance that guest access turns into an authenticated foothold |
| Review field-level security on non-User objects | Helps protect data on Contact, Lead, Case, and custom objects |
Every item in the table comes directly from Salesforce’s latest guidance for customers using Experience Cloud guest access.
The most important fix
Salesforce says the single highest-impact step is to disable guest access to public APIs and uncheck API Enabled in the guest user profile. According to the company, that closes the Aura endpoint to unauthenticated API queries, which is the exact vector used in this campaign.
Admins should also review sharing settings and confirm that default external access is set to Private. Salesforce says guest users should not see any record unless an explicit sharing rule grants access.
Why this campaign matters
This campaign shows how much risk can sit inside a configuration mistake. Salesforce says the platform remains secure, but public-facing sites can still leak sensitive CRM data if guest access is too broad. That can feed extortion, phishing, and vishing without any need for malware or password theft.
It also fits a broader trend. Security reporting around this campaign says ShinyHunters has paired data theft with extortion threats, while related reporting on the group shows a history of social engineering and cloud-targeted operations.
FAQ
Salesforce says no. The company states that its investigation found customer-configured guest user settings, not an inherent platform security flaw, behind the observed activity.
Salesforce says attackers abuse overly permissive guest user configurations on public Experience Cloud sites and use a modified Aura Inspector workflow against the /s/sfsites/aura endpoint.
No, not if guest permissions are too broad. Salesforce says the threat actor can directly query CRM objects without authentication in misconfigured environments.
Salesforce says its CSOC monitored a campaign by a known threat actor group, and external reporting says Salesforce later confirmed the operation was tied to ShinyHunters.
Salesforce says admins should audit guest user permissions, set external defaults to Private, and disable guest access to public APIs.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages