Salesforce issues new security alert tied to third customer attack spree in six months | CyberScoop<\/title> <meta name=\"description\" content=\"Researchers said the threat group behind the campaign is associated with ShinyHunters, an outfit that\u2019s previously stolen data from Salesforce instances for extortion attempts.\"> <link rel=\"canonical\" href=\"https:\/\/cyberscoop.com\/salesforce-experience-cloud-customers-attacks\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Salesforce issues new security alert tied to third customer attack spree in six months\"> <meta property=\"og:description\" content=\"Researchers said the threat group behind the campaign is associated with ShinyHunters, an outfit that\u2019s previously stolen data from Salesforce instances for extortion attempts.\"> <meta property=\"og:url\" content=\"https:\/\/cyberscoop.com\/salesforce-experience-cloud-customers-attacks\/\"> <meta property=\"og:site_name\" content=\"CyberScoop\"> <meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/cyberscoop\/\"> <meta property=\"article:published_time\" content=\"2026-03-11T14:12:16+00:00\"> <meta property=\"article:modified_time\" content=\"2026-03-11T14:12:19+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/salesforce-issues-new-security-alert-tied-to-third-customer-attack-spree-in-six-months-2.jpg\"> <meta property=\"og:image:width\" content=\"1024\"> <meta property=\"og:image:height\" content=\"683\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Matt Kapko\"> <meta name=\"twitter:card\" content=\"summary_large_image\"> <meta name=\"twitter:creator\" content=\"@CyberScoopNews\"> <meta name=\"twitter:site\" content=\"@CyberScoopNews\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Feed\" href=\"https:\/\/cyberscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"CyberScoop \u00bb Comments Feed\" href=\"https:\/\/cyberscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/cyberscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1773235124g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/cyberscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1773167249g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/cyberscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1767808656g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=13897d660a0ac2c9c7d1\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/cyberscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/cyberscoop.com\/wp-json\/wp\/v2\/posts\/88175\"><meta name=\"generator\" content=\"WordPress 6.8.3\">\n<link rel=\"shortlink\" href=\"https:\/\/cyberscoop.com\/?p=88175\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsalesforce-experience-cloud-customers-attacks%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/cyberscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Fcyberscoop.com%2Fsalesforce-experience-cloud-customers-attacks%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/cyberscoop.com\/wp-content\/uploads\/sites\/3\/2023\/01\/cropped-cs_favicon-2.png?w=270\"> <\/head><body class=\"wp-singular post-template-default single single-post postid-88175 single-format-standard wp-theme-scoopnewsgroup wp-child-theme-cyberscoop\" id=\"readabilityBody\"> <a href=\"https:\/\/cyberscoop.com\/salesforce-experience-cloud-customers-attacks\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.144215530903\">\n<div class=\"single-article__header-content\" readability=\"35.38779956427\">\n<ul class=\"single-article__eyebrow\">\n<li class=\"single-article__category\"> <a class=\"single-article__category-link\" href=\"https:\/\/cyberscoop.com\/salesforce-experience-cloud-customers-attacks\/\"> <span>Cybercrime<\/span> <\/a> <\/li>\n<\/ul>\n<p> Researchers said the threat group behind the campaign is associated with ShinyHunters, an outfit that\u2019s previously stolen data from Salesforce instances for extortion attempts. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/cyberscoop\/88175\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"640\" height=\"427\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/salesforce-issues-new-security-alert-tied-to-third-customer-attack-spree-in-six-months.jpg?resize=640%2C427&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt=\"Light reflects off glass panels on Salesforce Tower through the fog in San Francisco on July 31, 2018. (Carlos Avila Gonzalez\/The San Francisco Chronicle via Getty Images)\" decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/salesforce-issues-new-security-alert-tied-to-third-customer-attack-spree-in-six-months-2.jpg 1024w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/salesforce-issues-new-security-alert-tied-to-third-customer-attack-spree-in-six-months-2.jpg?resize=300,200 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/salesforce-issues-new-security-alert-tied-to-third-customer-attack-spree-in-six-months-2.jpg?resize=768,512 768w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/salesforce-issues-new-security-alert-tied-to-third-customer-attack-spree-in-six-months-2.jpg?resize=600,400 600w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/salesforce-issues-new-security-alert-tied-to-third-customer-attack-spree-in-six-months-2.jpg?resize=252,168 252w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/salesforce-issues-new-security-alert-tied-to-third-customer-attack-spree-in-six-months-2.jpg?resize=505,337 505w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/salesforce-issues-new-security-alert-tied-to-third-customer-attack-spree-in-six-months-2.jpg?resize=1012,675 1012w\" sizes=\"(max-width: 1012px) 100vw, 1012px\"><figcaption> Light reflects off glass panels on Salesforce Tower through the fog in San Francisco on July 31, 2018. (Carlos Avila Gonzalez\/The San Francisco Chronicle via Getty Images) <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"42.115631691649\"><body readability=\"84.909816440543\"><\/p>\n<p>Threat hunters and a collection of unconfirmed victims are responding to a series of attacks targeting Salesforce customers, which the vendor disclosed in a <a href=\"https:\/\/status.salesforce.com\/generalmessages\/20000244?locale=en-US\">security advisory<\/a> Saturday. <\/p>\n<p>\u201cSalesforce is actively monitoring threat activity targeting public-facing Experience Cloud sites, including attempts to take advantage of overly permissive guest user configurations,\u201d the company said in the alert.<\/p>\n<p>The campaign marks the third widespread attack spree targeting Salesforce customers in about six months. <\/p>\n<p>The number of victims ensnared by the latest attacks is unverified, but ShinyHunters, the threat group asserting responsibility for the attacks, claims about 100 companies have already been impacted. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Researchers told CyberScoop they are confident the threat group behind the campaign is associated with ShinyHunters, an outfit that\u2019s previously stolen data from Salesforce instances for extortion attempts.<\/p>\n<p>Salesforce did not attribute the attacks, but pinned blame on a \u201cknown threat actor group,\u201d adding that the issue is <a href=\"https:\/\/www.salesforce.com\/blog\/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access\/\">not due to a vulnerability<\/a> in the company\u2019s platform.<\/p>\n<p>The company said the threat activity reflects a broader trend of identity-based targeting, in this case customer-configured guest user settings that expose publicly accessible Experience Cloud sites to potential attacks.<\/p>\n<p>\u201cWe are aware of a threat actor attempting to identify misconfigurations within Salesforce Experience Cloud instances,\u201d Charles Carmakal, chief technology officer at Mandiant Consulting, said in a statement. \u201cWe are working closely with Salesforce and our customers to provide the necessary telemetry and detection rules to mitigate potential risk.\u201d<\/p>\n<p>Salesforce said the threat actor is using a modified version of the Mandiant-developed open-source tool <a href=\"https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/auditing-salesforce-aura-data-exposure\">AuraInspector<\/a> to scan for public-facing Experience Cloud sites and steal data from instances with a guest user profile. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>This setting is designed to provide unauthenticated users access to data intended for public consumption. Yet, guest profiles with excessive permissions allow attackers to view additional data by directly querying Salesforce CRM objects without logging in, the company explained.<\/p>\n<p>Salesforce did not say when or how it became aware of the latest campaign targeting its customers, nor how many companies have already been impacted. \u201cWe don\u2019t have anything further to add at this time,\u201d said Nicole Aranda, senior manager of corporate communications at Salesforce. <\/p>\n<p>The company advised customers to ensure guest user configurations are properly restricted.<\/p>\n<p>\u201cAny system exposed to the internet must be configured with the expectation that it will be continuously scanned,\u201d Shane Barney, chief information security officer, at Keeper Security, said in an email. <\/p>\n<p>\u201cAt its core, this is an access governance issue,\u201d he added. \u201cGuest accounts, service accounts and API integrations must be treated with the same discipline as privileged users. Applying least privilege, restricting API access and continuously auditing permissions are foundational security controls.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>Salesforce customers confronted a pair of attack sprees involving third-party vendors last year. Google Threat Intelligence Group at the time said it was aware of more than 200 potentially affected Salesforce instances linked to <a href=\"https:\/\/cyberscoop.com\/salesforce-gainsight-customers-breach\/\">malicious activity in Gainsight applications<\/a> connected to Salesforce customer environments in November.<\/p>\n<p>A more extensive downstream attack spree discovered in August <a href=\"https:\/\/cyberscoop.com\/salesloft-drift-compromise-scope-expands\/\">impacted more than 700 companies<\/a> who integrated the AI chat agent Salesloft Drift into their Salesforce environments. ShinyHunters or threat clusters affiliated with the extortion group were involved in both of those campaigns as well.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.0124153498871\">\n<div class=\"author-card\" readability=\"14\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2026\/03\/salesforce-issues-new-security-alert-tied-to-third-customer-attack-spree-in-six-months-1.jpg?w=640&ssl=1\" alt=\"Matt Kapko\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Matt Kapko<\/h4>\n<p> Matt Kapko is a reporter at CyberScoop. His beat includes cybercrime, ransomware, software defects and vulnerability (mis)management. The lifelong Californian started his journalism career in 2001 with previous stops at Cybersecurity Dive, CIO, SDxCentral and RCR Wireless News. Matt has a degree in journalism and history from Humboldt State University. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Government<\/h3>\n<\/p><\/div>\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">Technology<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to CyberScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/cyberscoop.com\/salesforce-experience-cloud-customers-attacks\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Salesforce issues new security alert tied to third customer attack<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[282,78,3912,646,3099,2151,288],"tags":[286,86,3916,650,3104,2155,294],"class_list":["post-8422","post","type-post","status-publish","format-standard","hentry","category-cybercrime","category-cybersecurity","category-identity","category-mandiant","category-salesforce","category-shinyhunters","category-threats","tag-cybercrime","tag-cybersecurity","tag-identity","tag-mandiant","tag-salesforce","tag-shinyhunters","tag-threats"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybercrime\/\" rel=\"category tag\">cybercrime<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/identity\/\" rel=\"category tag\">identity<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/mandiant\/\" rel=\"category tag\">Mandiant<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/salesforce\/\" rel=\"category tag\">Salesforce<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/shinyhunters\/\" rel=\"category tag\">ShinyHunters<\/a> <a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/threats\/\" rel=\"category tag\">Threats<\/a>","tag_info":"Threats","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8422","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=8422"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/8422\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=8422"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=8422"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=8422"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":8422,"date":"2026-03-11T09:12:16","date_gmt":"2026-03-11T14:12:16","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=88175"},"modified":"2026-03-11T09:12:16","modified_gmt":"2026-03-11T14:12:16","slug":"salesforce-issues-new-security-alert-tied-to-third-customer-attack-spree-in-six-months","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2026\/03\/11\/salesforce-issues-new-security-alert-tied-to-third-customer-attack-spree-in-six-months\/","title":{"rendered":"Salesforce issues new security alert tied to third customer attack spree in six months"},"content":{"rendered":"