Mind The Gap: The Salesforce Incident And The Evolving Nature Of Cloud Risk

By Kate O'Flaherty • 30 April 2026 • 7 min read

After ShinyHunters hacking collective took advantage of “overly permissive” Salesforce guest user configurations to access data from up to 400 organisations, how can firms strengthen resilience?

By Kate O’Flaherty

In March, Salesforce issued a warning to customers that the ShinyHunters hacking collective was taking advantage of misconfigurations on public-facing Experience Cloud sites to access sensitive data and hold firms to ransom.

The attackers apparently weaponised a modified version of open-source tool AuraInspector, originally developed by Mandiant, to perform mass scanning and find configuration gaps to attack up to 400 organisations.

Part of the Salesforce Aura framework to identify security misconfigurations in Experience Cloud sites, the attackers created a version of the tool “capable of going beyond identification to actually extract data”, Salesforce warned in an advisory.

“This is the modern attacker playbook,” says Dean Garvey-North, CTO at Microlise. “Use legitimate tooling, target configuration weaknesses rather than platform vulnerabilities, and operate at internet scale.”

With adversaries taking advantage of customers with “overly permissive guest user settings”, Salesforce was not to blame for the incident — at least from a legal standpoint. The incident is a prime example of how cloud configuration, identity exposure and shared responsibility models are creating new and often misunderstood areas of risk.

How can organisations reduce exposure and strengthen resilience in cloud-driven environments where the risk often sits in the gap between platform capability and customer configuration?

Misconfigurations

As the Salesforce incident demonstrates, misconfigurations, particularly around guest access and identity permissions, continue to be a persistent source of data exposure.

Misconfigurations persist because organisations frequently prioritise usability and rapid digital deployment over security. This inadvertently grants unauthenticated external users “broad, internal data permissions” rather than strictly enforcing a “least privilege” access model, says Dray Agha, senior manager of security operations at Huntress.

Usability and security are “in tension by design”, and configuration decisions made at implementation time are rarely revisited, says Microlise’s Garvey-North. “Salesforce Experience Cloud portals use a dedicated guest user profile that allows unauthenticated visitors to view public pages or submit forms without logging in. When that profile is misconfigured with excessive permissions, data not intended to be public becomes directly queryable, with no login required.”

The problem is structural, says Garvey-North. “Platforms ship with permissive defaults to reduce friction for new customers. Implementation teams optimise for getting things working. Security reviews happen at point-in-time.”

But cloud configuration is not static: “Every new portal, integration, or feature rollout is a potential new exposure surface,” Garvey-North points out. “Without continuous configuration monitoring, you’re essentially trusting that nothing has drifted since your last audit.”

Who’s to Blame?

Salesforce is an example of how features designed for usability, such as public portals, APIs and guest access introduce new and often underestimated security risks.

These features often change traditional security assumptions, says Dana Simberkoff, chief risk, privacy and information security officer at AvePoint. “Usability-driven design often shifts risk, quietly, from the platform to the customer.”

It can then be challenging to work out where responsibility lies between cloud providers and customers — especially when incidents stem from configuration issues, rather than core platform vulnerabilities.

Attackers said a “Salesforce limitation” enabled the incident. Yet Salesforce itself has been clear: This is not a platform vulnerability, but an issue in how customers have configured guest user permissions, says Garvey-North.

Cloud providers secure the platform, but customers are responsible for how it’s configured — including identity, permissions, and data exposure. “That’s where most organisations fall short,” says Stew Parkin, global CTO Assured Data Protection. “They end up relying on point-in-time audits in environments that are constantly changing.”

The shared responsibility model is “well-established in theory and persistently misunderstood in practice”, adds Microlise’s Garvey-North. “Cloud providers secure the infrastructure and the platform. Customers are responsible for what they put on it, how they configure access, and how they govern it over time. The gap, and where most breaches now live, is in the configuration layer.”

Automation Enabling Attacks

At the same time, attackers are growing in capability, using automation and legitimate tools to identify and exploit weaknesses across hundreds of organisations simultaneously. Mandiant’s CTO confirmed Shiny Hunters was using AuraInspector to automate vulnerability scans across Salesforce environments at scale.

“When defenders think about cloud risk, they still tend to think in terms of individual incidents,” says Garvey-North.

But attackers think in terms of surface area. “Any misconfiguration pattern that exists across thousands of organisations is a single automated campaign away from mass exploitation,” says Garvey-North.

Meanwhile, tactics such as staged leaks and vishing campaigns are increasing the impact of these types of incidents.

ShinyHunters set a public deadline, warning that stolen data would be released unless victims complied with extortion demands.

The group ran parallel vishing operations, impersonating IT staff and directing employees to credential harvesting sites to capture single sign on credentials and multi factor authentication (MFA) codes. The combination is deliberate, says Garvey-North: “Steal data via misconfiguration, harvest credentials via social engineering, then extort using both.”

It comes at a time of rising regulatory expectations around data protection, access control, and accountability. With many territories now having data protection laws, and the rise of class action lawsuits, the prevention of exposure of data is now often the main driving factor in the payment of extortion demands.

“Although clearly not recommended, it’s often cheaper to pay to prevent release of the data, than face the fine and legal fees that come from disclosure,” Tony Gee, principal cyber security consultant at 3B Data Security says.

Bridging the Visibility Gap

Incidents such as the Salesforce attacks highlight a persistent challenge: Organisations are increasingly reliant on cloud platforms, but security accountability is distributed, and not always clearly understood.

Businesses need to move beyond assuming cloud platform security is sufficient, towards a more continuous, system-based approach to configuration management, identity governance and assurance.

Traditional security relies heavily on static, point-in-time audits that “completely miss the subtle, continuous configuration drifts and API exposures that characterise modern cloud risks,” says Huntress’ Agha.

This leaves “a dangerous visibility gap where legitimate features are quietly abused”, he warns.

With this in mind, there are some practical steps security and compliance leaders should take to improve visibility and control over identity, access and configuration settings.

Leaders must shift to a “private-by-default” security posture by actively auditing external guest profile permissions, disabling unauthenticated public API access unless strictly necessary, and implementing continuous monitoring of event logs to catch abnormal data queries, according to Agha.

“Be incredibly curious in the infrastructure leveraged and assume that the provider has not implemented security-by-default,” he advises. “Investigate the security options available in the configuration of third-party tools.”

A key defensive control is strong supplier due diligence and ongoing third-party risk management, says 3B Data Security’s Gee. He recommends a least privilege approach to data sharing, with only data needed shared with the third party.

Microlise’s Garvey-North advises asking vendors the questions you’d ask of your own infrastructure: “What are your secure-by-default configurations, how do you detect anomalous access at the platform level, and what does your disclosure process look like when something goes wrong?”

Meanwhile, having a robust response process is fundamental to limiting the risk of fines and law suits, Gee says. “Demonstrating strong cyber resiliency has been seen to be a deciding factor in the level of fine. Doing nothing and relying on the glossy third party marketing is not a valid defence and often leads to larger fines and easy win class action lawsuits.”

At the same time, frameworks such as ISO 27001 help by mandating rigorous, ongoing risk assessments and systematic access control policies. This helps transform cloud security from a “set and forget” checkbox into a “continuously governed process that aligns complex environments with resilient standards”, says Agha.

Where ISO 27001 genuinely adds value in complex digital environments is in forcing organisational clarity: Who owns each control, what acceptable risk looks like, and how incidents are escalated and learned from, says Garvey-North. “That governance structure becomes the connective tissue between your security engineering capability and your board-level risk appetite. Without it, you have tools without accountability.”