A critical warning has been issued about an active threat campaign targeting misconfigured Experience Cloud sites.
The notorious threat actor group ShinyHunters has claimed responsibility for a massive data theft operation exploiting overly permissive guest user configurations, reportedly impacting hundreds of high-profile organizations.
According to Salesforce’s Cyber Security Operations Center, this campaign does not rely on a vulnerability within the Salesforce platform itself.
Instead, it preys on customer misconfigurations. In a typical Experience Cloud setup, a guest user profile grants unauthenticated visitors access to public-facing data.
However, when these profiles are misconfigured with excessive permissions, sensitive internal records become exposed.
The threat actors are mass-scanning public sites using a modified version of Aura Inspector, an open-source tool originally developed by Mandiant for security auditing.
While the standard tool identifies data exposure risks, ShinyHunters custom-built a version capable of actively extracting data.
By probing specific exposed API endpoints, attackers can directly query Salesforce CRM objects without logging in to harvest sensitive information.
ShinyHunters claims to have compromised up to 400 websites and roughly 100 high-profile companies.
The stolen data, which often includes personal information like names and phone numbers, fuels follow-on targeted social engineering and voice phishing attacks.
Furthermore, the group is utilizing its well-known extortion tactics, threatening to publish the scraped business data on dark web leak sites if ransoms are not paid.
Understanding the Data Access Problem
Salesforce operates on a layered security model that encompasses object access, record access, field-level security, and field value masking.
If any of these layers are configured too broadly for guest users, the entire chain is compromised. This allows attackers to bypass interface restrictions and pull unmasked data directly from the backend database.
Salesforce states that administrators must immediately adopt a least privilege access model to secure their environments. Key defensive actions include:
Disable Public APIs: This is the highest-impact change. Organizations should uncheck the setting to allow guest users to access public APIs, which immediately closes the targeted Aura endpoint to unauthenticated queries.
Audit Guest Profiles: Review and restrict guest user access to the absolute minimum objects and fields required for site functionality.
Set Defaults to Private: Ensure the default for external object access is set to private so guest users cannot view records without explicit sharing rules.
Restrict Internal Visibility: Disable portal and site user visibility settings to prevent attackers from enumerating internal organization members.
Disable Self-Registration: If public account creation is not strictly necessary, turn it off to prevent attackers from escalating their access from a guest tier to an authenticated session.
Organizations using Salesforce Experience Cloud must act quickly to audit their environments. Properly securing guest user settings is critical to defending against this ongoing campaign.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
The post Salesforce Warns of ShinyHunters Group Exploiting Experience Cloud Sites appeared first on Cyber Security News.
