Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Salesforce Experience Cloud guest-user hardening

Advisory/Mitigation
First reported
Last updated
Happening score
H score 19
1 unique sources, 1 articles

Summary

Hide ▲

Salesforce is urging Experience Cloud customers to harden guest user settings after abuse of overly permissive configurations exposed public sites to unauthorized data access. The guidance calls for setting Default External Access to Private, blocking guest users from public APIs, and tightening visibility controls. Salesforce also recommends disabling self-registration when unnecessary and monitoring logs for unusual queries. The mitigation is meant to reduce exposure on public-facing sites that attackers can probe with AuraInspector-style scanning.

Related Happenings

ShinyHunters Salesforce Experience Cloud misconfiguration campaign

Campaign
First: 10.03.2026 12:00 Last: 10.03.2026 12:00 Sources 1

About this happening: ShinyHunters is running an **active** **Salesforce Experience Cloud** campaign that exploits overly permissive guest-user settings to harvest data from **hundreds of companies**,...

Latest development: 16.04.2026 13:35

ShinyHunters leaked data tied to McGraw Hill after breaching the company's Salesforce environment earlier this month, and McGraw Hill said the intrusion exposed a limited set of data from a webpage hosted by Salesforce on its platform while not affecting its Salesforce accounts, courseware, customer databases, or internal systems. Have I Been Pwned said more than 100GB of files later appeared publicly and contained data linked to 13.5 million accounts.

Open Happening

ShinyHunters Salesforce Experience Cloud data theft claims

Data Leak
First: 09.03.2026 19:12 Last: 09.03.2026 19:12 Sources 1

How related: "Evidence indicates the threat actor is leveraging a modified version of the open-source tool AuraInspector [...] to perform mass scanning of public-facing Experience Cloud sites," Salesforce said.

About this happening: **ShinyHunters** has **claimed ongoing theft** of data from **Salesforce Experience Cloud** instances, putting exposed customer records at risk across **hundreds of organizations*...

Open Happening

Microsoft 365 device-code phishing defenses for OAuth token abuse

Defensive Guidance
First: 19.02.2026 14:30 Last: 19.02.2026 14:30 Sources 1

About this happening: Defenders are tightening **Microsoft 365** protections against **device code phishing** and **vishing**, a technique that can hand attackers valid **OAuth tokens** for **Microsoft...

Open Happening

Microsoft Entra device code phishing and vishing campaign

Campaign
First: 19.02.2026 14:30 Last: 19.02.2026 14:30 Sources 1

About this happening: A **device code phishing campaign** is targeting **Microsoft 365 identities** through the **OAuth 2.0 device authorization flow**, letting attackers steal valid access tokens afte...

Open Happening

Timeline

  1. 10.03.2026 09:17 2 articles · 2mo ago

    Salesforce urges Experience Cloud guest-user hardening

    Mitigation Patch Update

    Salesforce urged Experience Cloud customers to harden guest user settings after threat actors were observed mass-scanning public-facing sites with a modified version of AuraInspector to exploit overly permissive guest user access and extract data from Salesforce CRM objects without login. The recommended controls include setting Default External Access for all objects to Private, disabling guest users' access to public APIs, restricting visibility settings to prevent guest users from enumerating internal organization members, disabling self-registration when not required, and monitoring logs for unusual queries.

    Show sources
    Open in new tab