THREAT actors are exploiting customers’ overly permissive Salesforce Experience Cloud guest user configurations to steal sensitive data, according to Salesforce Security in a March 7 blog post. The attackers have used a modified version of the open‑source Aura Inspector tool to mass‑scan public‑facing Experience Cloud sites and extract data by abusing misconfigured guest profiles. Salesforce notes that this activity is tied to customer‑configured guest user settings and is not an inherent platform vulnerability.
The campaigns include activity associated with ShinyHunters and other extortion‑focused operations, with subsequent social engineering and data leakage seen across Salesforce customers. Salesforce also describes a second campaign involving Scattered Lapsus$ Hunters, separate from the Salesloft Drift supply chain attack reported last year.
In response, Salesforce urged Experience Cloud customers to audit guest configurations, set defaults to private, disable public APIs, restrict visibility, disable self‑registration where not needed, review event logs, and add a security contact, with guidance published in their blog.