Salesforce Warns of API Attacks Exploiting Cloud Misconfigs

Security teams are on high alert as Salesforce warned on March 10, 2026, of a surge in cyberattacks targeting improperly configured customer websites. This campaign exploits overly permissive guest user settings on publicly accessible Experience Cloud sites to access confidential data. Threat actors, possibly the known group ShinyHunters, are leveraging a modified version of the open-source AuraInspector tool for these scans.

The original tool, released by Google-owned Mandiant, was designed to identify misconfigurations. However, the actor’s customized version goes beyond identification to actively extract data from vulnerable endpoints. This activity focuses on sites where the guest user profile has not followed recommended configuration guidance.

Consequently, an unauthenticated attacker can directly query Salesforce CRM objects without logging in. Salesforce said it has “not identified any vulnerability inherent to the Salesforce platform associated with this activity.” The company emphasized that these attempts exploit customer configuration settings that increase exposure if not properly secured.

Meanwhile, the harvested data, such as names and phone numbers, is often repurposed for follow-on attacks. Salesforce noted this reflects a broader trend of identity-based targeting used for social engineering. The firm has urged customers to review guest user permissions and restrict API access immediately.

✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.

Previous Articles:

• Oil Prices Swing Sharply Amid Trump-Iran Strait Threats
• Banking Groups Mull Lawsuit Over Crypto Bank Charters
• MSTR, ASST Rise After Analyst Touts Bitcoin Strategy
• Bhutan Moves $12M in Bitcoin Amid Market Gains
• Alphabet Stock Could Have Made $365K In Decade: Buffett Wisdom