Threat Actors Exploit Modified AuraInspector Tool to Harvest Data from Misconfigured Salesforce Sites
On March 10, 2026, Salesforce’s Cybersecurity Operations Center (CSOC) warned of a campaign in which threat actors are mass-scanning publicly accessible Salesforce Experience Cloud sites using a modified version of the AuraInspector tool. Originally developed by Google/Mandiant, AuraInspector is an open-source command-line utility designed to audit Salesforce Aura and Experience Cloud applications for data exposure risks by simulating unauthenticated or guest user access.
Attackers have adapted the tool to exploit overly permissive guest user settings, enabling them to extract sensitive CRM data including Accounts, Contacts, and Leads via exposed Aura endpoints, record lists, or GraphQL controllers. While the original AuraInspector only identifies vulnerabilities, the modified version actively harvests data from misconfigured environments.
Salesforce confirmed that the activity does not stem from a platform vulnerability but rather from customer misconfigurations, particularly in Experience Cloud guest user permissions. Exposed data could be leveraged for targeted social engineering or vishing attacks.
The company attributes the campaign to a known threat actor group, potentially ShinyHunters, which has previously targeted Salesforce environments through third-party applications. Salesforce advises organizations to review and secure guest user settings, restrict public access, disable unnecessary APIs, and monitor logs to mitigate risks.
Salesforce cybersecurity rating report: https://www.rankiteo.com/company/salesforce
"id": "SAL1773146972",
"linkid": "salesforce",
"type": "Breach",
"date": "3/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'industry': 'Various (Salesforce customers)',
'name': 'Salesforce customers with misconfigured '
'Experience Cloud sites',
'type': 'Organizations'}],
'attack_vector': 'Misconfigured guest user permissions in Salesforce '
'Experience Cloud',
'data_breach': {'data_exfiltration': 'Yes',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (personally identifiable '
'information)',
'type_of_data_compromised': 'CRM data (Accounts, Contacts, '
'Leads)'},
'date_detected': '2026-03-10',
'date_publicly_disclosed': '2026-03-10',
'description': 'On March 10, 2026, Salesforce’s Cybersecurity Operations '
'Center (CSOC) warned of a campaign in which threat actors are '
'mass-scanning publicly accessible Salesforce Experience Cloud '
'sites using a modified version of the AuraInspector tool. '
'Attackers adapted the tool to exploit overly permissive guest '
'user settings, enabling them to extract sensitive CRM data '
'including Accounts, Contacts, and Leads via exposed Aura '
'endpoints, record lists, or GraphQL controllers. The activity '
'stems from customer misconfigurations, particularly in '
'Experience Cloud guest user permissions, and exposed data '
'could be leveraged for targeted social engineering or vishing '
'attacks.',
'impact': {'data_compromised': 'Accounts, Contacts, Leads (CRM data)',
'identity_theft_risk': 'High',
'systems_affected': 'Salesforce Experience Cloud sites'},
'initial_access_broker': {'entry_point': 'Misconfigured Salesforce Experience '
'Cloud guest user permissions'},
'investigation_status': 'Ongoing',
'lessons_learned': 'Misconfigurations in cloud services like Salesforce '
'Experience Cloud can lead to significant data exposure. '
'Regular audits of guest user permissions and public '
'access settings are critical.',
'motivation': 'Data exfiltration for targeted social engineering or vishing '
'attacks',
'post_incident_analysis': {'corrective_actions': 'Secure guest user settings, '
'restrict public access, '
'disable unnecessary APIs, '
'and monitor logs.',
'root_causes': 'Customer misconfigurations in '
'Salesforce Experience Cloud guest '
'user permissions'},
'recommendations': 'Review and secure guest user settings, restrict public '
'access to Salesforce Experience Cloud sites, disable '
'unnecessary APIs, and monitor logs for suspicious '
'activity.',
'references': [{'source': 'Salesforce Cybersecurity Operations Center '
'(CSOC)'}],
'response': {'containment_measures': 'Review and secure guest user settings, '
'restrict public access, disable '
'unnecessary APIs, monitor logs',
'enhanced_monitoring': 'Monitor logs for suspicious activity',
'remediation_measures': 'Secure guest user permissions, restrict '
'public access to Salesforce Experience '
'Cloud sites'},
'stakeholder_advisories': 'Salesforce advises organizations to review and '
'secure guest user settings, restrict public '
'access, disable unnecessary APIs, and monitor '
'logs.',
'threat_actor': 'ShinyHunters (potentially)',
'title': 'Threat Actors Exploit Modified AuraInspector Tool to Harvest Data '
'from Misconfigured Salesforce Sites',
'type': 'Data Harvesting',
'vulnerability_exploited': 'Overly permissive guest user settings in '
'Salesforce Experience Cloud'}