'Overly Permissive' Salesforce Cloud Configs in the Crosshairs

APPLICATION SECURITY СLOUD SECURITY THREAT INTELLIGENCE IDENTITY & ACCESS MANAGEMENT SECURITY NEWS 'Overly Permissive' Salesforce Cloud Configs in the Crosshairs Some customers have mishandled guest user configurations otherwise intended to allow third-party access to important — and sensitive — client data. Alexander Culafi,Senior News Writer,Dark Reading March 10, 2026 4 Min Read SOURCE: JHVEPHOTO VIA ALAMY STOCK PHOTO Threat actors are exploiting "customers' overly permissive" Salesforce Experience Cloud guest user configurations to steal sensitive data, Salesforce Security said in a March 7 blog post. Salesforce said this issue is unrelated to a vulnerability inherent to its platform and that Salesforce remains secure. "Our investigation to date confirms that this activity relates to a customer-configured guest user setting," the blog post read.  Salesforce instances have faced a wide range of campaigns over the past year or so. Most prominently, financially motivated threat groups including ShinyHunters targeted Salesforce instances through social engineering attacks that began last summer. Federal law enforcement ultimately shuttered a dedicated extortion site tied to the campaign, but even then, attacks apparently continued.  In a second distinct threat campaign last year, an actor known as Scattered Lapsus$ Hunters (supposedly combining Scattered Spider, Lapsus$, and ShinyHunters) reportedly stole a wide range of data belonging to dozens of Salesforce customers before using it to extort them. And these campaigns were separate from the Salesloft Drift supply chain attack from the summer of 2025. Related:GlassWorm Malware Evolves to Hide in Dependencies In order to address the issue laid out in Salesforce's blog post, the CRM giant made multiple recommendations for customers to check for and protect themselves against compromise.  Attackers Steal Salesforce Customer Data In its blog post, Salesforce says an unidentified "known threat actor group" has been leveraging a modified version of the open-source tool Aura Inspector to mass scan public-facing Experience Cloud sites. While Aura Inspector originally only identified vulnerable objects through probing API endpoints that sites expose, "the actor has developed a custom version of the tool capable of going beyond identification to actually extract data — exploiting overly permissive guest user settings," the vendor noted. "In a publicly accessible Salesforce Experience site, anonymous visitors share a 'guest user profile.' Typically this is used to allow an unauthenticated user access to view data that is expected to be made publicly available," Salesforce explained. "However, if this profile is misconfigured with excessive permissions, data that is not intended to be made public may be accessible, allowing a threat actor to directly query Salesforce CRM objects without logging in." Salesforce declined to share any threat actor attribution with Dark Reading, though ShinyHunters apparently has taken credit for some attacks.  Related:Real-Time Banking Trojan Strikes Brazil's Pix Users Experience Cloud customers are considered "at risk" if they are using the guest user profile and have configured permissions to allow public access to objects and fields not intended to be available according to Salesforce's recommended configuration guidance. Follow-on activity has consisted of targeted social engineering (including voice phishing) attacks, which is in line with ShinyHunters' MO.  Due to the risk posed by this campaign, Salesforce urged Experience Cloud customers to audit guest user configurations, set company-wide defaults to "private," disable public APIs, restrict visibility, disable self-registration if not required, regularly review event monitoring logs, and add a security contact. Instructions for all these recommendations are in the blog.  More Threats Against Salesforce Instances Because CRMs inherently hold valuable data and because of Salesforce's dominance in that sector, it's no surprise that threat actors are targeting Salesforce customers. However, it is notable that so many prominent campaigns have taken root in so short a time. Louis Eichenbaum, federal chief technology officer (CTO) at microsegmentation security vendor ColorTokens, tells Dark Reading that these attacks are increasing because attackers have identified that "they are easy [to conduct] and Salesforce stores a very large amount of sensitive data."  Related:Xygeni GitHub Action Compromised Via Tag Poison He adds that when organizations enable Experience Cloud, the platform automatically creates a guest user profile, which allows unauthenticated users to access the site. "I would recommend that Salesforce disable the automatic creation of guest user profiles and let organizations decide if they want to create a guest account," Eichanbaum says. Trey Ford, chief security and trust officer at Bugcrowd, explains that platform ecosystems are hard to secure because they're compromised through exploiting trust relationships and poorly managed credentials, particularly via third-party integrations and non-human identities (NHI). "Over the last five to 10 years we've seen a number of SaaS security startups specifically aimed at permissions for human and NHI accounts, the scope of permissions applied, and the age and usage of those credentials," Ford says. "Companies need to review those integrations and account access patterns, and take steps to harden their usage, apply IP integration limits where possible, and use the latest reference patterns for authentication and authorization for their integrations." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like APPLICATION SECURITY Trump Administration Rescinds Biden-Era Software Guidance by Alexander Culafi JAN 29, 2026 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 APPLICATION SECURITY Oracle Cloud Users Urged to Take Action by Jai Vijayan, Contributing Writer MAR 31, 2025 APPLICATION SECURITY 'IngressNightmare' Vulns Imperil Kubernetes Environments by Jai Vijayan, Contributing Writer MAR 24, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ APPLICATION SECURITY Microsoft Patches 83 CVEs in March Update byJai Vijayan MAR 11, 2026 4 MIN READ THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE