Security Alert: Critical Data Exposure in Salesforce Experience Cloud

Coalition has notified policyholders about a widespread campaign targeting Salesforce Experience Cloud sites. Threat actors are actively exploiting misconfigured guest user permissions to exfiltrate sensitive CRM data via the Aura API endpoint.

Unlike a traditional software vulnerability, this threat stems from over-permissioned guest profiles that allow unauthenticated users to query backend Salesforce objects, including contact records and lead lists, without logging in.

Salesforce has published guidance warning that threat actors are mass‑scanning public Experience Cloud sites (formerly Community Cloud) and abusing these misconfigurations to extract sensitive data.

Coalition’s analysis indicates that any site where public access is enabled is potentially vulnerable if the underlying permissions have not been strictly hardened.

What’s happening?

The ShinyHunters threat actor group has claimed responsibility for an ongoing campaign leveraging this misconfiguration, reportedly impacting hundreds of organizations.

Attackers are using automated tools to scan for the Aura endpoint, typically exposed at /s/sfsites/aura. Because this endpoint allows for direct querying of the database, threat actors can enumerate and scrape thousands of records containing PII and proprietary business data at scale, even if that data is not displayed on any public-facing webpage.

Salesforce has stated that this is a customer-controlled configuration issue, not a flaw in the platform itself. However, because these sites are designed to be public-facing, many organizations are unaware that their internal CRM data is inadvertently being served to the open web.

How should businesses address this?

Coalition recommends all Salesforce administrators perform an immediate audit of their Experience Cloud settings using Salesforce’s hardening guidance:

• Audit guest user profiles: Disable the API enabled permission and remove access to all objects (contacts, accounts, leads, etc.) unless strictly required for public site functionality.

• Set external OWDs to private: Ensure that external organization-wide defaults are set to private to prevent guest users from seeing records by default.

• Review “view all" permissions: Ensure no guest profile has "View All" or "Modify All" permissions enabled for any object.

• Monitor traffic: Check event monitoring logs for an unusual volume of requests hitting the /s/sfsites/aura endpoint from unauthenticated IP addresses.

Who’s at risk?

ShinyHunters told The Register that it stole data from “almost 400 websites and about 100 essential high profile companies Snowflake, Okta, Lastpass, Salesforce itself, Sony, AMD, and a lot more," and that the "recon and exploitation has been going on for several months now."

ShinyHunters is a prolific threat actor group known for its "pay or leak" reputation, where they threaten to leak or sell information on the dark web if the targeted company doesn’t pay a ransom. The group has listed millions of user account details on various leak sites. 

In 2025, the group combined forces with two other prominent cyber criminal groups: Scattered Spider and LAPSUS$. Collectively, the three were responsible for some of the most high-profile attacks of the last few years, including those on Jaguar Land Rover, Qantas, and PowerSchool. 

How Coalition is responding

Coalition notified all impacted policyholders on March 9, 2026, and is actively monitoring for these specific risky configurations. Coalition policyholders can log in to Coalition Control® for the latest updates. 

For assistance with mitigation, contact Coalition’s Security Support Center at securitysupport@coalitioninc.com.

EASILY SPOT & STOP CYBER THREATS IN ONE PLACE

Coalition Control

Take control of your cyber risk >

This blog post is designed to provide general information on the topic presented and is not intended to construe or render legal or other professional services of any kind. If legal or other professional advice is required, the services of a professional should be sought. The views and opinions expressed as part of this blog post do not necessarily state or reflect those of Coalition. Neither Coalition nor any of its employees make any warranty of any kind, express or implied, or assume any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed. Any action you take upon the information contained herein is strictly at your own risk. Coalition and its affiliates will not be liable for any losses and damages in connection with your use or reliance upon the information. The blog post may include links to other third-party websites. These links are provided as a convenience only. Coalition does not endorse, have control over, nor assumes responsibility or liability for the content, privacy policy, or practices of any such third-party websites.

Copyright © 2026. All rights reserved. Coalition and the Coalition logo are trademarks of Coalition, Inc.