{"id":15942,"date":"2026-03-11T11:51:08","date_gmt":"2026-03-11T11:51:08","guid":{"rendered":"https:\/\/newestek.com\/?p=15942"},"modified":"2026-03-11T11:51:08","modified_gmt":"2026-03-11T11:51:08","slug":"overly-permissive-guest-settings-put-salesforce-customers-at-risk","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15942","title":{"rendered":"Overly permissive \u2018guest\u2019 settings put Salesforce customers at risk"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Salesforce is urging its customers to review their Experience Cloud \u2018guest\u2019 configurations as cybercrime group ShinyHunters claims a new campaign involving data theft and extortion tied to exposed Salesforce environments.<\/p>\n

The group recently posted screenshots<\/a> on its leak site claiming breaches of \u201cseveral hundreds\u201d of organizations, including around 400 websites and roughly 100 \u201chigh profile companies.\u201d The claims come amid a broader campaign targeting Salesforce deployments through misconfigured public-facing portals, rather than vulnerabilities in the platform itself.<\/p>\n

In a new blog post<\/a>, Salesforce warned that attackers are exploiting overly permissive guest user settings in Experience Cloud environments to harvest data that organizations never intended to expose. \u201cOur Cyber Security Operations Center (CSOC) has been monitoring a campaign by a known threat actor group,\u201d the company said without identifying the actor. \u201cEvidence indicates the threat actor is leveraging a modified version of the open-source tool Aura Inspector (originally developed by Mandiant) to perform mass scanning of public-facing Experience Cloud sites.\u201d<\/p>\n

The ShinyHunters post, which came hours after the Salesforce warning, called the new campaign \u201cSalesforce Aura Campaign.\u201d<\/p>\n

The warning lands against a backdrop of earlier incidents<\/a> attributed to ShinyHunters, which, since mid-2025 has targeted Salesforce instances through phishing, social engineering, and abuse of integrations. In some cases<\/a>, these attacks led to millions of records being compromised.<\/p>\n

<\/a>Overly permissive guest access<\/h2>\n

The warning concerns the Salesforce Experience Cloud platform used by organizations to build public portals for customers, partners, and communities. These sites rely on a shared \u201cguest user profile\u201d that allows unauthenticated visitors to view certain information.<\/p>\n

When configured correctly, that profile exposes only the minimal data required for the site to function. But if permissions are too broad, attackers can directly query backed CRM objects, effectively pulling data without needing credentials.<\/p>\n

According to Salesforce, threat actors are automating this process using a modified version of Mandiant\u2019s open-source AuraInspector tool, which probes the \u201c\/s\/sfsites\/aura\u201d API endpoint exposed by Experience Cloud sites. In the attacker-altered form, the tool moves beyond detection and actively extracts accessible data.<\/p>\n

Jason Soroko, senior fellow at Sectigo, described the approach as the \u201cpath of least resistance\u201d for attackers. Rather than engineering sophisticated exploits, he said, threat actors increasingly target configuration gaps where \u201ca single overly permissive guest setting leaves the data accessible to anyone who asks.\u201d<\/p>\n

According to the advisory, the campaign specifically targets environments where three conditions exist. These include instances with guest profiles having excessive object or field permissions, organization-wide default access for external users is not set to private, and guest users are allowed to access public APIs. These conditions allow attackers to query data through Experience Cloud guest profiles.<\/p>\n

<\/a>Why Salesforce environments make tempting targets<\/h2>\n

Salesforce deployments are particularly attractive because of the sensitive data they hold and the complexity of their access models.<\/p>\n

\u201cSalesforce instances often contain highly sensitive customer data, including credentials and secrets that can be used for lateral movement,\u201d said Vincenzo Lozzo, CEO and cofounder of SlashID. At the same time, he added, the platform\u2019s layered permissions architecture, including profiles, permissions sets, sharing rules, and integrations, which are not very well understood and can make accidental overexposure easy.<\/p>\n

The attack surface expands further when organizations connect Salesforce with third-party applications and APIs. \u201cTrust relationships, and long-lived and poorly monitored credentials grant access to treasure troves of systems and data,\u201d said Trey Ford, chief strategy and trust officer at BugCrowd. Once attackers compromise a trusted integration, he noted, it can create cascading risk across the entire ecosystem. Salesforce guidance focuses on tightening the responsible configuration controls. Recommended steps include auditing guest user permissions, disabling public API access where possible, restricting object visibility, and enforcing least-privilege access.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Salesforce is urging its customers to review their Experience Cloud \u2018guest\u2019 configurations as cybercrime group ShinyHunters claims a new campaign involving data theft and extortion tied to exposed Salesforce environments. The group recently posted screenshots on its leak site claiming breaches of \u201cseveral hundreds\u201d of organizations, including around 400 websites and roughly 100 \u201chigh profile companies.\u201d The claims come amid a broader campaign targeting Salesforce… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15942","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15942","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15942"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15942\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15942"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15942"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15942"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}