Security Alert: Hackers Target Public Salesforce Experience Cloud Sites

Hackers Target Salesforce Experience Cloud Sites Using Modified AuraInspector Tool

Salesforce has alerted customers to a surge in malicious activity targeting publicly accessible Experience Cloud websites, where attackers are attempting to exploit configuration mistakes to gain access to sensitive information.

According to the company, threat actors are using a customized version of an open-source auditing tool called AuraInspector to scan Salesforce environments and extract data from sites that have overly permissive access settings.

Attackers Exploiting Guest User Permissions

The activity focuses on Experience Cloud guest user accounts, which allow visitors to access public resources such as landing pages, help centers, and knowledge base articles without needing to log in.

However, if these guest accounts are configured with excessive permissions, attackers may be able to access internal data that should not be publicly available.

Salesforce says the attackers are taking advantage of these misconfigurations to query data stored in Salesforce CRM systems without authentication.

Modified AuraInspector Tool Used for Mass Scanning

The attackers are reportedly using a modified version of AuraInspector, a tool originally developed to help security teams detect access control problems within Salesforce’s Aura framework.

The legitimate tool was released by Mandiant in early 2026 to assist organizations in auditing their Salesforce deployments.

While the original tool simply identifies exposed objects by scanning specific API endpoints, the customized version used by attackers goes further. It can scan large numbers of Experience Cloud sites and actively retrieve sensitive data when permissions are too open.

The scanning activity specifically targets the /s/sfsites/aura API endpoint, which is used by Salesforce-powered websites.

When the Attack Works

For attackers to successfully extract data from an Experience Cloud site, two main conditions must be present:

  1. The organization must allow access through a guest user profile.
  2. The site must have misconfigured permissions that expose internal objects or data.

Salesforce emphasized that the issue is not a vulnerability within the platform itself, but rather a result of configuration settings that do not follow recommended security practices.

Possible Link to Known Threat Actors

Salesforce did not publicly identify the attackers involved, but security analysts believe the activity could be connected to ShinyHunters, a cybercrime group known for targeting Salesforce environments.

This group has previously used third-party integrations such as Salesloft and Gainsight to gain access to sensitive corporate data stored in Salesforce systems.

How Organizations Can Protect Their Salesforce Environments

Salesforce is advising organizations using Experience Cloud to review their configuration settings and tighten access controls.

Recommended security measures include:

  • Setting Default External Access for all objects to Private
  • Blocking guest user access to public APIs
  • Limiting visibility so guest users cannot browse internal user accounts
  • Disabling self-registration features if they are not required
  • Monitoring system logs for suspicious or unusual data queries

Growing Trend of Identity-Based Attacks

The company also noted that this activity reflects a broader trend in cybercrime where attackers target identity systems and user permissions rather than exploiting traditional software vulnerabilities.

Data collected during reconnaissance scans, such as employee names, phone numbers, or email addresses, can later be used to launch social engineering attacks, including voice phishing campaigns.

Final Thoughts

As businesses rely more heavily on cloud platforms like Salesforce, configuration errors are becoming a major security risk.

Even when the platform itself is secure, overly permissive settings can expose sensitive information to attackers scanning the internet for weak points.

Organizations using Experience Cloud should regularly review their access settings to ensure that public visitors cannot access internal business data.