Why hackers are after Salesforce implementations recently and what can you do to protect your application
There's a lot of noise out there about Salesforce security this year. Headlines, breach disclosures, vague "third-party CRM" language. I've been tracking this closely and the picture is both alarming and clarifying.
Here's the actual breakdown.
The Campaign Is Real and Ongoing
Since early 2026, a coordinated data theft campaign has been targeting Salesforce customers at scale. The threat group ShinyHunters is heavily implicated and has claimed responsibility for dozens of high-profile breaches.
What's important to understand upfront: these aren't exploits of Salesforce itself. The platform isn't broken. What's broken is how people configure the platform and implement their Salesforce application.
The attacks leverage permission misconfigurations, social engineering, and third-party vulnerabilities — not inherent platform flaws.
Timeline of Major Incidents
The scale of this is hard to ignore once you notice the list of targets which include Grubhub, Odido, Axios, LexisNexis and Loblaw just to name a few.
That's not a rough patch. That's a sustained, multi-month offensive against Salesforce customers by finding vulnerabilities in their application.
The Common Five Attack Vectors
The attackers aren't doing anything clever. They're doing what works.
1. Experience Cloud Misconfiguration
This is the big one. Public-facing sites with overly permissive guest user profiles are the primary entry point. Salesforce's own warning pointed directly at this — guest users who can read far more than they should.
2. Social Engineering and Credential Theft
Targeting employee accounts to bypass security controls. A single compromised credential can undo months of security investment. The Infinite Campus breach came from a single employee's Salesforce account.
3. API Abuse
When guest user profiles have "API Enabled" checked, attackers can bulk-exfiltrate data at scale. This is the difference between seeing a few records and walking away with tens of millions.
4. Third-Party and Supply Chain Exploits
The Odido breach didn't just come from Salesforce directly — it involved a BeyondTrust vulnerability in integrated software. Attackers increasingly pivot through connected vendors to reach the org.
5. Obfuscation in Breach Reporting
Notice a pattern in the headlines? Victims often refer to Salesforce generically as a "third-party CRM" in breach disclosures. This downplays direct platform involvement and makes it harder to track the real scope of the problem.
Five Config Changes to Make Today
These aren't theoretical recommendations. Each one closes an active attack vector being exploited right now.
1. Audit Guest User Configurations
Restrict guest user profiles to the absolute minimum objects and fields required. If a guest doesn't need access to it, they shouldn't see it. Period.
2. Set Org-Wide Defaults to Private
All objects should be set to Private for external users in Sharing Settings. This is your baseline. You can always open things up selectively — but starting wide is how you end up on a breach list.
3. Disable Public APIs
Uncheck API Enabled in the guest user profile's System Permissions. If guests don't need programmatic access, don't give it to them. This alone stops bulk exfiltration.
4. Restrict User Visibility
Uncheck Portal User Visibility and Site User Visibility in Sharing Settings. Guest users shouldn't be able to enumerate other users in your org.
5. Disable Self-Registration
If unauthenticated visitors don't need to create accounts, turn self-registration off. Every new account is another surface to manage and potentially misconfigure.
Final thought
The threat landscape is active and evolving. The good news is that these are all configuration problems, not Salesforce platform problems. That means you can fix them without waiting for a patch.
Misconfigurations are the attack surface. Proper guest user and admin hygiene stops most of what's being exploited right now.
Start with one public-facing site, audit its guest profile, and work outward. You'll likely find more than you expected.