Unauthorized parties are identifying and leveraging excessively permissive guest user configurations in Salesforce Experience Cloud to access sensitive data. Salesforce Security confirmed this activity in a March 7 publication, emphasizing that the issue stems from customer-configured settings rather than a vulnerability inherent to the Salesforce platform.
Salesforce environments have been the focus of multiple unauthorized access campaigns over the past year. Financially motivated groups, including ShinyHunters, initiated social engineering efforts targeting these instances last summer. While federal law enforcement eventually shut down a dedicated extortion site associated with the activity, unauthorized access attempts persisted.
In a separate campaign last year, a collective known as Scattered Lapsus$ Hunters—reportedly combining members of Scattered Spider, Lapsus$, and ShinyHunters—accessed data from dozens of Salesforce customers and used it to demand payments. These incidents are distinct from the summer 2025 Salesloft Drift third-party supply chain exposure.
Unauthorized access to Salesforce customer data
The current campaign involves an unidentified malicious actor group using a customized version of Aura Inspector, an open-source tool. The group is mass-scanning public-facing Experience Cloud sites. While the standard Aura Inspector is limited to identifying exposed API endpoints, the modified version extracts data by leveraging permissive guest user settings.
In a publicly accessible Salesforce Experience site, anonymous visitors share a "guest user profile" designed to allow unauthenticated users to view specific public data. If this profile is misconfigured with excessive permissions, data intended to remain private becomes accessible. This allows unauthorized parties to directly query Salesforce CRM objects without logging in.
ShinyHunters has claimed responsibility for a portion of this activity on social media. Organizations often experience follow-on social engineering, including voice phishing (vishing), using the exposed information. Experience Cloud customers are at risk if their guest user profiles allow public access to objects and fields beyond Salesforce’s recommended baseline configuration.
Due to the risk posed by this data collection, Salesforce recommends several immediate protective measures:
Audit guest user configurations to ensure they follow the principle of least privilege.
Set company-wide defaults to "private."
Disable public APIs.
Restrict visibility settings.
Disable self-registration if it is not a strict operational requirement.
Regularly review event monitoring logs for anomalous access patterns.
Add a designated security contact to your environment.
Ongoing risks to Salesforce environments
Because Customer Relationship Management (CRM) platforms natively hold highly sensitive data, they remain a high-priority focus for unauthorized actors. Louis Eichenbaum, federal chief technology officer at ColorTokens, notes that these incidents are increasing because they require relatively low effort while yielding significant data sets.
When organizations enable Experience Cloud, the platform automatically creates a guest user profile to enable unauthenticated access. Eichenbaum recommends that Salesforce disable the automatic creation of these profiles, instead allowing organizations to opt in and deliberately create a guest account when needed.
Trey Ford, chief security and trust officer at Bugcrowd, explains that platform ecosystems present unique security challenges due to complex trust relationships and credential management, particularly regarding third-party integrations and non-human identities (NHI).
To strengthen their security posture, companies should review their integrations and account access patterns. Ford advises organizations to harden their usage, apply IP integration limits where feasible, and implement modern reference patterns for authentication and authorization.
About the original author
Alexander Culafi is a Boston-based senior news writer who previously wrote for VentureFizz, Search Security, and Nintendo World Report. He graduated from Emerson College in 2016 with a Bachelor of Science in journalism.