Full Report
Researchers said the threat group behind the campaign is associated with ShinyHunters, an outfit that’s previously stolen data from Salesforce instances for extortion attempts. The post Salesforce issues new security alert tied to third customer attack spree in six months appeared first on CyberScoop.
Analysis Summary
# Incident Report: Salesforce Experience Cloud Guest User Extortion Campaign
## Executive Summary
In March 2026, Salesforce issued a security alert regarding a widespread campaign targeting public-facing Experience Cloud sites. The threat actor, identified as being associated with the ShinyHunters group, exploited overly permissive guest user configurations to scrape sensitive data for extortion purposes. While Salesforce confirmed this was not a platform vulnerability but a matter of customer misconfiguration, the campaign reportedly impacted approximately 100 organizations.
## Incident Details
- **Discovery Date:** March 2026 (Publicly disclosed March 11, 2026)
- **Incident Date:** Ongoing (March 2026)
- **Affected Organization:** Approximately 100 Salesforce Experience Cloud customers (unverified)
- **Sector:** Cross-sector (including third-party service providers)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** March 2026
- **Vector:** Exploitation of misconfigured Guest User Profiles.
- **Details:** Attackers targeted "Experience Cloud" sites where unauthenticated guest user settings were overly permissive, allowing access to data not intended for the public.
### Lateral Movement
- **Details:** The report does not detail internal lateral movement within Salesforce's infrastructure; instead, the actor used the initial guest access to directly query Salesforce CRM objects and extract data across the environment.
### Data Exfiltration/Impact
- **Details:** ShinyHunters claims to have stolen data from roughly 100 companies. The impact is primarily focused on data theft for extortion.
### Detection & Response
- **How it was discovered:** Salesforce threat monitoring identified active scanning and exploitation of public-facing sites.
- **Response actions taken:** Salesforce issued a security advisory (General Message 20000244) and a blog post guiding customers on how to secure guest user configurations.
## Attack Methodology
- **Initial Access:** Identification of public-facing Experience Cloud sites with "Guest User" access enabled.
- **Persistence:** Not applicable; the attack focuses on direct data scraping via unauthenticated APIs.
- **Privilege Escalation:** Not required; the attackers leverage "excessive permissions" already granted to the guest profile.
- **Defense Evasion:** Use of legitimate, modified open-source tools to blend in with auditing or administrative traffic.
- **Credential Access:** N/A (Unauthenticated access).
- **Discovery:** Use of a modified version of **AuraInspector** (an open-source tool developed by Mandiant) to scan for vulnerable sites and exposed data objects.
- **Lateral Movement:** Querying various CRM objects accessible via the misconfigured guest profile.
- **Collection:** Automated querying of Salesforce CRM objects.
- **Exfiltration:** Direct data extraction via guest user API calls.
- **Impact:** Data breach and subsequent extortion attempts.
## Impact Assessment
- **Financial:** Potential extortion demands; costs associated with incident response and legal notifications.
- **Data Breach:** Exposure of sensitive CRM data (volumes and types vary by victim).
- **Operational:** Low direct business disruption, but high administrative burden for remediation.
- **Reputational:** Public impact for the ~100 companies targeted; the third such campaign in six months for the Salesforce ecosystem.
## Indicators of Compromise
- **Network indicators:** Activity originating from known ShinyHunters infrastructure (not specifically listed in the article).
- **File indicators:** Presence of a modified **AuraInspector** tool in environment logs.
- **Behavioral indicators:** High volume of unauthorized/unauthenticated queries to Salesforce CRM objects via Experience Cloud guest segments.
## Response Actions
- **Containment measures:** Reviewing and restricting Guest User Profile permissions.
- **Eradication steps:** Auditing "publicly accessible" objects to ensure only intended data is exposed.
- **Recovery actions:** Implementing Salesforce’s recommended security controls for Experience Cloud.
## Lessons Learned
- **Configuration as a Vulnerability:** Even secure platforms can be compromised through "overly permissive" default or customer-managed settings.
- **Tool Dual-Use:** Open-source security auditing tools (like AuraInspector) continue to be weaponized by threat actors.
- **Third-Party Risk:** The campaign highlights a recurring trend (three times in six months) where the intersection of third-party integrations and identity configurations creates significant risk.
## Recommendations
- **Principle of Least Privilege:** Strictly limit Guest User Profile permissions to the absolute minimum required for public functionality.
- **Continuous Auditing:** Use tools like Salesforce Optimizer or Mandiant’s AuraInspector to regularly scan for exposed data.
- **Access Governance:** Treat guest and service accounts with the same security rigor as privileged internal users.
- **Monitoring:** Monitor Salesforce event logs for unusual surges in guest user API traffic or object queries.