We are seeing reports of a data theft attack affecting Salesforce Experience Cloud platforms as of March 9, 2026.

According to Bill Toulas, attackers exploit misconfigured Experience Cloud platforms giving guest users access to more data than intended. Initially, the ShinyHunters gang claims active exploitation of a new bug to steal data from instances. Subsequently, independent confirmations from Salesforce security team highlight vulnerabilities in Aura. Specifically, the bug allows unauthorized data retrieval via API endpoints. Furthermore, multiple incidents reported indicate widespread misuse.

Most importantly, mid‑market and enterprise organizations deploying Salesforce Experience Cloud are at risk. In particular, CISOs and system administrators must review platform configurations. Therefore, regulatory implications under GDPR, HIPAA, and SEC compliance require immediate mitigation.

Notably, similar vulnerabilities in Salesforce Aura have surfaced in 2024, prompting patch releases. Similarly, threat actor evolution shows a shift from opportunistic attacks to targeted data theft. In fact, the ShinyHunters gang has increased activity post‑2025, indicating a new threat vector.

Currently, approximately 1500 Salesforce instances are potentially vulnerable. Once compromised, sensitive customer data could be exposed, leading to operational disruption and reputational damage. Meanwhile, attackers may chain API calls to harvest large datasets. Consequently, the risk is high for organizations with critical data stores. Based on recent reports, potential breach could cost millions in regulatory fines.

Immediately, patch the latest Salesforce Aura release (v3.9). Specifically, disable guest user access and enforce strict authentication. Next, audit all Experience Cloud configurations to ensure compliance. However, alternative mitigations include third‑party security modules. Additionally, detect unauthorized API calls using monitoring tools. After verifying patch rollout, validate data integrity.

Vendor advisories from Salesforce https://www.salesforce.com/security/updates/  and CISA alerts https://www.cisa.gov/alerts/  provide further guidance.

For further guidance, consult https://defendmybusiness.com/cyber-security-consulting-services/.   Solution categories exist for cloud security.

Sources:

- Bill Toulas

https://www.bleepingcomputer.com/news/security/shinyhunters-claims-ongoing-salesforce-aura-data-theft-attacks/