Overly permissive ‘guest’ settings put Salesforce customers at risk
Summary
Salesforce is alerting customers to a campaign by the threat actor group ShinyHunters, which is exploiting overly permissive 'guest' user settings in Experience Cloud environments to expose and steal customer data. Attackers are using a modified version of the Aura Inspector tool to scan for and harvest data from misconfigured public-facing portals. Salesforce is urging customers to review and tighten these configurations to prevent data exfiltration and extortion.
IFF Assessment
This is bad news for defenders as a known threat actor is actively exploiting a common misconfiguration in a widely used platform to steal data.
Defender Context
Defenders should prioritize auditing and hardening Salesforce Experience Cloud guest user permissions, ensuring only necessary data is exposed. This incident highlights the ongoing risk of misconfigurations in cloud platforms and the importance of proactive security reviews, especially when third-party tools are used in conjunction with sensitive data.