Salesforce has issued a warning to its customers that hackers are actively targeting websites running misconfigured Experience Cloud platforms. The misconfiguration flaw grants guest users access to far more data than the platform’s settings are designed to allow. Adding to the concern, the ShinyHunters extortion gang has publicly claimed that they are actively exploiting a separate, newly discovered bug to steal data directly from affected instances.
Hackers Are Exploiting Experience Cloud Misconfigurations
Salesforce Experience Cloud is a widely adopted tool used by businesses across industries to connect with customers and partners through dedicated web pages and applications. The platform allows organizations to build branded digital spaces, but recent reports confirm that threat actors are zeroing in on instances where configuration errors leave the door open to sensitive data exposure.
The core of the problem lies in misconfigured permission settings that unintentionally grant guest users broader data access than intended. These errors can expose customer records, business data, and other sensitive information to unauthorized parties without any direct system compromise being required. Salesforce has acknowledged the risk posed by improper configuration and has been notifying customers to review their setups.
ShinyHunters Claims Active Exploitation of a New Bug
ShinyHunters, a cybercriminal group with a well-documented history of large-scale data theft and extortion, is making claims that go beyond the misconfiguration issue Salesforce flagged. The group asserts it has been leveraging a novel, previously undisclosed bug to access and exfiltrate data from Salesforce instances. While Salesforce has not publicly confirmed the specific bug ShinyHunters is referencing, the group’s track record makes the claim difficult to dismiss outright.
The distinction between the two issues is important. Salesforce’s own warning centers on misconfiguration errors made by administrators, while ShinyHunters is pointing to what they describe as an exploitable software-level vulnerability. If accurate, that would represent a more serious and broader threat to organizations that may have otherwise believed their configurations were properly secured.
What Salesforce Users Should Do Now
Organizations running Salesforce Experience Cloud need to treat this situation with urgency. The combination of an active misconfiguration warning from Salesforce itself and unconfirmed but credible exploitation claims from a known threat group creates compounding risk for businesses that delay their response.
Administrators are strongly urged to conduct immediate audits of their Experience Cloud configurations, paying close attention to guest user permissions. Any instance found granting access beyond what is operationally necessary should be locked down without delay.
Steps Organizations Can Take to Reduce Their Exposure
- Audit all Experience Cloud configurations to confirm that guest user permissions are properly restricted.
- Review and tighten access controls across connected applications and data sources.
- Monitor for unusual data access patterns or unexpected API activity that could signal unauthorized access.
- Apply any security patches or configuration guidance issued by Salesforce as soon as they become available.
- Engage internal or third-party cybersecurity teams to validate that current settings meet security best practices.
Given the active nature of the threat and the involvement of a group like ShinyHunters, organizations should not wait for further confirmation before acting. The misconfiguration risk alone is enough to warrant an immediate review, and the possibility of an underlying software bug makes prompt action even more critical for protecting customer data and business operations.
