SecurityBrief Australia - Technology news for CISOs & cybersecurity decision-makers
Australia
Moody corporate cloud data center breach glowing cubes leaking
#
SaaS
#
CRM
#
Firewalls

Salesforce guest flaws fuel large-scale data harvesting

Thu, 12th Mar 2026
Author image
By Shannon Williams, News Editor

Security teams are investigating a wave of data harvesting from publicly accessible Salesforce Experience Cloud sites after attackers targeted organisations with overly broad guest user permissions.

Salesforce has tracked increased threat actor activity targeting misconfigurations on public-facing sites. Overly permissive guest user access can let attackers retrieve more data than organisations intended.

Threat actor ShinyHunters separately claimed responsibility, saying it breached between 300 and 400 companies. That claim has not been independently verified.

Misconfiguration focus

Salesforce described the issue as a configuration problem rather than a platform flaw. Its investigation so far points to customer-configured guest user settings, not a vulnerability in Salesforce itself.

Experience Cloud sites can allow anonymous visitors to view certain information without logging in. Those visitors share a "guest user profile" that controls what data can be accessed. If administrators grant that profile access to objects and fields that should not be public, an attacker can query data directly without authentication.

AppOmni, a security firm focused on software-as-a-service environments, said the exposure is not new. It tied the risk to overly permissive guest user configurations and said it has long flagged the issue to customers.

Drew Gatchell, AppOmni's senior director of threat detection, said that when permissions are configured too broadly, attackers can use automated tools to query and extract data.

Tooling changes

Salesforce observed attackers using a modified version of Aura Inspector, an open-source tool originally developed by Mandiant. The original tool is limited to identifying exposed objects by probing API endpoints on Experience Cloud sites, including the "/s/sfsites/aura" endpoint.

Attackers have developed a custom version that goes beyond discovery and can extract data when permissions allow it. Salesforce said the approach reflects a broader trend of identity-based targeting, where harvested information is used in follow-on social engineering.

AppOmni said new attacker tooling has increased the impact of a long-standing exposure, making exploitation faster, more scalable, and more damaging.

Gatchell added that attackers have refined their methods. Earlier versions of the technique could exfiltrate about 2,000 records at most, but attackers can now exfiltrate data at much larger scale through the Salesforce GraphQL access method.

Who is at risk

Organisations are exposed if they use Experience Cloud guest user profiles and configure permissions to allow public access to objects and fields that are not intended to be publicly available. Salesforce said the risk depends on a customer's settings and whether they diverge from recommended guidance.

AppOmni also stressed that not every Experience Cloud site is affected. Organisations are only exposed if they use the guest user feature and configure permissions more broadly than Salesforce recommends.

Both Salesforce and AppOmni said harvested data is likely to be used in scams. Salesforce said information collected in scans, such as names and phone numbers, is often used in targeted social engineering and voice phishing. AppOmni described campaigns that start with CRM data and then escalate access.

Gatchell said the scans typically collect names and contact details that are then used to fuel follow-on scams, including targeted "vishing" campaigns. He added that AppOmni has observed coordinated campaigns that harvest CRM data, use it to make vishing calls seem legitimate, then escalate into broader SaaS compromise and data exfiltration.

Recommended actions

Salesforce advised customers to audit guest user permissions and enforce least-privilege access. It also recommended setting org-wide defaults to "Private" for external users, disabling public API access for guest users, restricting visibility settings that could allow enumeration of internal users, and disabling self-registration where it is not required.

It also recommended reviewing Event Monitoring logs for anomalous access patterns, such as unexpected spikes in queries, unusual IP addresses, or access outside normal hours, and setting a dedicated security contact for incident notifications.

AppOmni urged organisations to check their Salesforce security posture and prioritise remediation if the "Data Records Exposed to Anonymous World" insight is flagged.

Salesforce said it has enhanced anomaly detection and continues monitoring the campaign. It said it will notify impacted customers if it becomes aware of unauthorised access to customer data.

"Salesforce-powered websites may allow anonymous visitors to browse certain information without logging in. When those permissions are configured too broadly, attackers can use automated tools to query and extract data," said Drew Gatchell, Senior Director of Threat Detection, AppOmni.
Related stories
CIQ launches Linux compliance platform ahead of deadlines
Emerson & OPSWAT strike global reseller deal for OT patching
IWF & Cyacomb launch workplace abuse material scans
Cork Cyber adds automated mapping to Vantage platform
How Atomgate uses education and partnership to drive successful SonicWall upgrades

Top stories

Team Cymru launches Total Insights Feeds for threat data
FIRST conference highlights AI & CVE disclosure push
Protegrity launches AI Team Edition for secure inferencing
OpenAI launches Trusted Access for Cyber with major names
Anthropic launches Claude Opus 4.7 with stronger coding