- Threat actors are actively exploiting misconfigured Salesforce Experience Cloud sites to steal sensitive data.
- The attackers are using a customized version of an open-source auditing tool called AuraInspector to scan and extract information.
- Salesforce states this is not a platform vulnerability but a result of customers not implementing recommended security settings.
- The campaign is part of a growing trend of identity-focused attacks used to fuel social engineering schemes.
Security teams are on high alert as Salesforce warned on March 10, 2026, of a surge in cyberattacks targeting improperly configured customer websites. This campaign exploits overly permissive guest user settings on publicly accessible Experience Cloud sites to access confidential data. Threat actors, possibly the known group ShinyHunters, are leveraging a modified version of the open-source AuraInspector tool for these scans.
The original tool, released by Google-owned Mandiant, was designed to identify misconfigurations. However, the actor’s customized version goes beyond identification to actively extract data from vulnerable endpoints. This activity focuses on sites where the guest user profile has not followed recommended configuration guidance.
Consequently, an unauthenticated attacker can directly query Salesforce CRM objects without logging in. Salesforce said it has “not identified any vulnerability inherent to the Salesforce platform associated with this activity.” The company emphasized that these attempts exploit customer configuration settings that increase exposure if not properly secured.
Meanwhile, the harvested data, such as names and phone numbers, is often repurposed for follow-on attacks. Salesforce noted this reflects a broader trend of identity-based targeting used for social engineering. The firm has urged customers to review guest user permissions and restrict API access immediately.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
