Salesforce recently issued a warning to users regarding an “increase in threat actor activity targeting misconfigurations of publicly accessible sites.” Specifically, cybercriminals are leveraging permissive guest user configurations for Experience Cloud to gain unauthorized access to data. This harvested data can be exploited for targeted social engineering attempts or even “vishing” (voice phishing) campaigns. 

This threat activity is under active investigation, and follows a breach in October 2025 in which hackers claimed to steal 1 billion records from Salesforce customer databases. So why is this platform — and other platforms like it — such an attractive target to cybercriminals?

Why Platform Ecosystems Are Often Targeted

There are a few key reasons why platform ecosystems are a popular target; it is because they often: 

• Possess sensitive customer information
• Contain credential data that can be leveraged for lateral movement 
• Can be challenging to secure 

Trey Ford, Chief Strategy and Trust Officer at Bugcrowd, explains what makes these platforms difficult to secure.

“Platform ecosystems are notoriously hard to secure because the way they’re compromised is not easily scanned for using automation. This is specifically because these application stacks use non-human identities (NHI) and have deep integrations with other software and data platforms. Trust relationships, and long-lived and poorly monitored credentials grant access to treasure troves of systems and data,” says Ford. “By targeting and compromising software trusted to communicate, query, or operate in the context of the Salesforce integration creates a threat to the Salesforce ecosystem, and it’s not something Salesforce can directly secure. The failure is in the third party integrations.” 

Another reason these ecosystems attract cybercriminals is due to the valuable data stored within databases. Not only can that data be leveraged for targeted cyberattacks against individuals, but it can also be used to navigate laterally through an environment to access more data. 

Vincenzo Iozzo, CEO and Co-Founder at SlashID, explains, “Salesforce is a great target for attackers for a few reasons. First, Salesforce instances often contain highly sensitive customer data including credentials and secrets that can be used for lateral movement as we’ve seen with the Drift breach. Second, Salesforce makes it relatively hard for security teams to detect attacks, and very few SOC teams have deep knowledge of Salesforce internals. Third, Salesforce has an incredibly complex and not very well understood access control architecture: profiles, permission sets, sharing rules, org-wide defaults, object-level security, which lends itself to accidental data exposure and privilege escalation. And when you add the third-party app ecosystem and OAuth integrations on top of that, the attack surface multiplies well beyond what any single security team can realistically monitor. This is a much easier target to go after than an heavily guarded endpoint or server.” 

What Is the New Threat Activity Against Salesforce Customers? 

Salesforce’s Cyber Security Operations Center (CSOC) is monitoring a known threat actor group’s campaign in which an altered version of the open-source tool Aura Inspector is deployed for “mass scanning of public-facing Experience Cloud sites.” The modified version of this tool extracts data rather than just identify it and exploits permissive guest user settings.

An Experience Cloud customer will be at risk if they: 

• Use the guest user profile 
• Configured permissions to enable public access to objects/fields not authorized for public access  

Shane Barney, Chief Information Security Officer at Keeper Security, says, “The activity being reported centers on how guest user access is configured in public-facing Experience Cloud environments. When a guest profile is granted broader permissions than necessary, it can allow unauthenticated users to access data that was never intended to be public. That is a configuration exposure rather than a flaw in the underlying platform. Automated tools can quickly identify environments where access controls are too permissive and extract accessible data in a matter of minutes, amplifying both the scale and potential impact. Any system exposed to the internet must be configured with the expectation that it will be continuously scanned.” 

How Can Security Leaders Mitigate This Risk? 

Salesforce is recommending the following steps: 

1. Review guest user configurations
2. Put “Private” as the organization-wide default 
3. Disable public APIs
4. Limit visibility in sharing settings 
5. Disallow self-registration (if it is unnecessary for the site)
6. Audit configuration for Enhanced Personal Information Masking (EPIM)
7. Allow profile filtering
8. Enable “Show Nicknames” setting 
9. Manually review non-user object field-level security

“At its core, this is an access governance issue,” states Barney. “Guest accounts, service accounts and API integrations must be treated with the same discipline as privileged users. Applying least privilege, restricting API access and continuously auditing permissions are foundational security controls. Privileged access management plays an important role here by providing visibility and control over who, or what, can access sensitive systems and data, including non-human identities and externally exposed accounts. In cloud environments, identity defines the security boundary. Organizations that maintain clear oversight of permissions and enforce strong access controls significantly reduce the risk of unintended data exposure.”