Salesforce Security Breaches: 2026 Experience Cloud Threats

Overview: 2026 Data Exfiltration Trends

Since late 2025, a persistent campaign of data theft has targeted Salesforce environments. Threat actors are primarily leveraging "overly permissive" Experience Cloud guest user configurations to exfiltrate sensitive data. While some organizations refer to these incidents as "third-party CRM" breaches, the underlying vulnerability often lies in the intersection of public-facing site configurations and inadequate permission sets.

2026 Incident Timeline

• January 19: Grubhub reported a data breach linked to the hacking group ShinyHunters.
• February 16: Odido (formerly T-Mobile) confirmed an incident involving social engineering targeting their Salesforce instance.
• March 7: Salesforce officially confirmed active threat actor campaigns targeting misconfigured publicly accessible Experience Cloud sites.
• March 9–31: A series of major leaks were attributed to the ShinyHunters extortion group, impacting entities including LexisNexis, Loblaw, Infinite Campus, and Axios. These attacks included supply chain vectors and direct exploitation of internal records.

Technical Mitigation: Hardening Experience Cloud

To mitigate these risks, Salesforce security architects and admins must perform an immediate audit of all public-facing sites. The following configurations are mandatory to ensure the principle of least privilege:

Recommended Security Actions

• Audit Guest User Profiles: Review every object and field access level. Remove all non-essential permissions. Use the "Guest User Security Policy" to enforce record ownership constraints.
• Enforce Private OWDs: Set Organization-Wide Defaults (OWD) for all objects to Private for external users to prevent broad visibility.
• Disable Unnecessary APIs: Within the Guest User profile, ensure the "API Enabled" system permission is explicitly unchecked.
• Restrict User Visibility: In Sharing Settings, disable "Portal User Visibility" and "Site User Visibility" to prevent guest users from discovering other users in the org.
• Disable Self-Registration: Unless your business requirements explicitly mandate unauthenticated account creation, disable the self-registration feature on all Experience Cloud sites.

Monitoring and Response

Security teams should leverage the Event Monitoring log files to track Login and Guest User access patterns. Unusual spikes in record retrieval from Guest profiles should trigger an immediate investigation.

Key Takeaways

• Guest Access is a High-Risk Vector: Never grant read access to standard objects like Account or Contact on public guest profiles unless strictly necessary for site functionality.
• Default to Private: Always start with the most restrictive sharing model and grant access via explicit sharing rules only where required.
• Audit Regularly: Security configurations are not "set and forget." Establish a quarterly cadence to audit site guest user profiles and system permissions.