Salesforce Security Alert: Third Wave of Attacks Targets Customer Environments in Six Months

Listen to this Post

Featured Image

Introduction: A New Warning for Salesforce Customers

Cloud platforms have become the backbone of modern business operations. Companies rely heavily on cloud services to store sensitive customer information, manage operations, and connect with partners. Among these platforms, Salesforce stands as one of the most widely used customer relationship management ecosystems in the world. However, popularity also attracts attention from cybercriminals. Recently, Salesforce issued a new security alert warning customers about an ongoing attack campaign targeting publicly accessible Experience Cloud environments. The alert highlights a growing cybersecurity challenge: misconfigured systems that allow attackers to quietly harvest sensitive data without exploiting traditional software vulnerabilities.

Overview of the Latest Salesforce Attack Campaign

Salesforce has disclosed a security advisory regarding a wave of attacks targeting customer environments, specifically those using Experience Cloud sites that are accessible to the public. According to the company, attackers are attempting to exploit overly permissive guest user configurations that expose sensitive data unintentionally.

This attack campaign represents the third major targeting of Salesforce customers within the last six months. Security researchers and threat intelligence teams are currently monitoring the situation closely, while several organizations believed to be victims are investigating possible data exposure.

Although the total number of affected companies has not been officially confirmed, the hacking group known as ShinyHunters claims responsibility and states that approximately 100 companies have already been impacted. Independent cybersecurity researchers working with CyberScoop believe the attackers are indeed connected to the ShinyHunters group, which has a long history of stealing and leaking corporate data for extortion purposes.

Salesforce itself has not formally attributed the attacks to any specific group. However, the company acknowledged that the campaign is linked to a known threat actor group and emphasized that the attacks do not exploit a vulnerability within the Salesforce platform itself. Instead, the attackers are targeting configuration weaknesses created by customers.

The central issue involves guest user profiles within Salesforce Experience Cloud environments. These profiles are designed to allow unauthenticated users to access publicly available data, such as community portals, support information, or documentation. However, if these guest profiles are granted excessive permissions, attackers may be able to retrieve additional internal data by directly querying Salesforce CRM objects without logging in.

Security experts say the attackers are scanning the internet for Experience Cloud instances with misconfigured guest permissions. Once they identify vulnerable targets, they can pull sensitive records directly from exposed systems.

Investigators believe the attackers are using a modified version of AuraInspector, an open-source tool originally developed by Mandiant for legitimate security testing and analysis. By adapting this tool, threat actors can automatically detect public-facing Salesforce environments and extract data from those with weak configurations.

Charles Carmakal, Chief Technology Officer at Mandiant Consulting, confirmed that his team is collaborating closely with Salesforce to analyze the campaign. According to Carmakal, the threat actors are actively searching for configuration weaknesses in Experience Cloud instances, and security teams are working to develop detection rules and telemetry that can help organizations identify suspicious activity.

Salesforce has not revealed when the company first detected the campaign, nor how many customers may have been compromised so far. The company has stated that its monitoring efforts are ongoing and advised customers to immediately review and tighten their guest user permissions.

Security professionals say that systems exposed to the public internet should always be configured with the expectation that they will be constantly scanned by attackers looking for weaknesses. Shane Barney, Chief Information Security Officer at Keeper Security, emphasized that this situation highlights a fundamental access governance problem.

According to Barney, guest accounts, service accounts, and API integrations must be managed with the same security discipline applied to privileged user accounts. Applying the principle of least privilege, restricting unnecessary API access, and regularly auditing permissions are essential security practices that could prevent such incidents.

This recent campaign follows two other significant attack waves involving Salesforce environments during the previous year. In one case, security researchers from Google Threat Intelligence Group discovered malicious activity affecting more than 200 Salesforce instances linked to the Gainsight application integrated into customer environments.

Another even larger attack campaign occurred earlier, affecting over 700 companies that had integrated the AI chat agent Salesloft Drift into their Salesforce ecosystems. Investigators also linked those attacks to ShinyHunters or related threat clusters operating within the same extortion network.

Taken together, these incidents highlight how third-party integrations and configuration weaknesses can expose large numbers of organizations simultaneously, even when the underlying platform itself remains secure.

What Undercode Say:

The latest Salesforce incident demonstrates a critical shift in how modern cyberattacks operate. Rather than exploiting traditional software vulnerabilities, attackers increasingly target configuration mistakes and identity systems. This trend reflects a broader evolution in cybersecurity where misconfigurations become the primary entry point for attackers.

Salesforce itself is not compromised at the platform level. Instead, the weakness lies in how organizations configure access permissions. Many companies deploy cloud platforms quickly to meet operational needs, often overlooking security reviews of default or guest-level permissions. Attackers know this and actively scan the internet looking for these exact mistakes.

The use of the AuraInspector tool in this campaign is particularly notable. Originally designed as a legitimate security tool by Mandiant, AuraInspector allows researchers to inspect Salesforce Lightning components and identify configuration issues. By modifying it for malicious purposes, attackers essentially weaponized a diagnostic tool into a reconnaissance and data extraction system.

This approach reflects a growing pattern in cybercrime. Instead of building complex malware, attackers frequently repurpose existing open-source security tools to perform large-scale automated reconnaissance. Tools meant for defense can become powerful offensive instruments when used by threat actors.

The ShinyHunters

What makes this campaign particularly dangerous is its scalability. If an organization leaves a guest user profile overly permissive, the attackers may not need to breach authentication systems at all. They can simply query accessible CRM objects and retrieve information directly from public endpoints.

This means many victims may not even realize they have been breached until their data appears on dark web marketplaces or extortion forums. Traditional security tools that detect login anomalies or malware activity may fail to detect this type of silent data harvesting.

Another important aspect is the recurring nature of these attacks. Three major Salesforce-related campaigns in six months indicate that attackers see the ecosystem as a highly profitable target. The large number of organizations relying on Salesforce means that even a small percentage of misconfigured environments can produce hundreds of potential victims.

The issue also highlights the risks introduced by third-party integrations. Many organizations extend Salesforce with marketing tools, AI chat agents, analytics platforms, and customer engagement software. While these integrations improve productivity, they also expand the attack surface and increase the likelihood of configuration errors.

In many cases, security teams are not directly involved in the deployment of these integrations. Business units may enable external tools quickly, unintentionally granting broad permissions to service accounts or guest profiles.

The cloud security model operates under a shared responsibility framework. While vendors like Salesforce secure the platform infrastructure, customers remain responsible for configuring permissions, identity policies, and access governance. This division of responsibility can create blind spots where organizations assume the provider handles more security controls than it actually does.

The lesson from this campaign is clear: identity and access management is now the frontline of cybersecurity. Organizations must continuously audit user roles, API permissions, guest accounts, and third-party integrations. Automated security scanning and configuration monitoring should become standard practice in any cloud environment.

Companies should also adopt zero-trust principles where every access request is verified and restricted by default. Public-facing portals must be treated as high-risk systems and carefully reviewed to ensure that only truly public data is accessible without authentication.

Ultimately, the Salesforce incident is not just a warning about one platform. It reflects a much larger trend where cloud misconfigurations are becoming one of the most exploited weaknesses in enterprise cybersecurity.

Fact Checker Results

✅ Salesforce confirmed the attacks target misconfigured Experience Cloud guest user settings rather than a platform vulnerability.
✅ Security researchers linked the campaign to the ShinyHunters group, which has previously conducted data theft and extortion operations.
❌ The exact number of affected companies remains unverified despite attackers claiming around 100 victims.

Prediction

🔮 Identity-based attacks will continue rising as cloud platforms become the primary infrastructure for businesses.
🔮 More threat groups will weaponize legitimate security tools for automated scanning and data extraction.
🔮 Cloud providers may introduce stricter default permission settings to reduce the risk of customer misconfigurations.

🕵️‍📝✔️Let’s dive deep and fact‑check.

References:

Reported By: cyberscoop.com
Extra Source Hub (Possible Sources for article):
https://www.digitaltrends.com
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2
Bing

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon