Cybersecurity Alert - Salesforce Experience Cloud Security Incident
Impact: All Firms
FINRA firms should be aware that the threat actor group ShinyHunters1 has been actively exploiting misconfigured Salesforce Experience Cloud instances to bypass authentication requirements and access sensitive customer data, which they are leveraging to defraud customers.
FINRA recommends sharing this Cyber Alert with appropriate information technology and information security personnel—as well as any third-party vendors that may use Salesforce Experience Cloud—to identify whether your firm is impacted and take immediate steps to protect your environments.
Background
On March 7, 2026, Salesforce reported that ShinyHunters was actively exploiting misconfigured Experience Cloud guest user profiles to gain unauthorized access to organizational data. Experience Cloud is a Salesforce platform that allows companies to create websites, portals and apps for the secure sharing of data both internally and externally. ShinyHunters is identifying vulnerable profiles by mass scanning publicly accessible Experience Cloud sites and probing their API endpoints.
Key details:
- Data stored in public-facing Salesforce Experience Cloud instances with misconfigured guest user permissions may have been accessed or exfiltrated or may remain at risk.
- ShinyHunters is leveraging this stolen data for targeted phishing (including voice phishing, or vishing), and extortion campaigns against firm personnel and clients.
- ShinyHunters’ methods are similar to the 2025 attack campaigns involving the third-party platforms Salesloft Drift and Gainsight.2
This incident highlights how threat actors systematically exploit configuration weaknesses in cloud platforms. Even when the underlying platform remains secure, customer-configured settings can expose high-value, sensitive business and customer data to threat actors. Your firm should be aware that if it uses Salesforce Experience Cloud—particularly the platform’s public-facing components—its data may be at risk due to ShinyHunters’ campaign targeting misconfigured guest profiles.
Recommended Actions
Member firms using Salesforce, especially those with public-facing Experience Cloud implementations, are strongly encouraged to take immediate action to review and restrict guest user access permissions:
- Ensure that guest users have only the minimum necessary privileges required to perform their intended functions.
- Treat any data already exposed through misconfigured guest access as potentially compromised and increase monitoring for extortion, phishing and vishing attempts targeting employees, customers or support personnel.
In addition, firms can get the most current updates and full remediation steps via Salesforce’s security blog.
In light of this threat campaign, firms should review their policies, procedures and controls related to cloud platform configuration and third-party service management. Related effective practices can be found in the Third-Party Risk Landscape section of the 2026 FINRA Annual Regulatory Oversight Report.
FINRA encourages member firms that identify data breaches or attempted data breaches to contact your Risk Monitoring Analyst and report them to:
- FINRA using the Regulatory Tip Form found on FINRA.org;
- the SEC using the Tips, Complaints, and Referrals form or by calling (202) 551-4790; and
- the FBI using its Internet Crime Complaint Center or by calling 1-800-CALLFBI (1-800-225-5324).
Additionally, both the FBI and the Cybersecurity & Infrastructure Security Agency (CISA) urge organizations to promptly report cyber incidents to a local FBI Field Office or the FBI Internet Crime Complaint Center (IC3) at IC3.gov, and to CISA via CISA’s 24/7 Operations Center ([email protected] or 888-282-0870).
Questions related to this Alert or other cybersecurity-related topics can be emailed to the FINRA Cyber and Analytics Unit (CAU).
Note: This Alert does not create new legal or regulatory requirements or new interpretations of existing requirements, nor does it relieve firms of any existing obligations under federal securities laws, regulations, and FINRA rules. Member firms may consider the information in this Alert in developing new, or modifying existing, policies and procedures that are reasonably designed to achieve compliance with relevant regulatory obligations based on the member firm’s size and business model. Moreover, some information may not be relevant due to certain firms’ business models, sizes, or practices.
If you would like to add or change who receives this email, please update your firm’s Chief Information Security Officer (CISO), Chief Compliance Officer (CCO), Chief Risk Officer (CRO) and/or Regulatory Inquiries contact in FINRA Gateway.
1 ShinyHunters is a financially motivated threat actor group with links to the Scattered Spider group. Both are known to target high-profile organizations through social engineering and ransomware campaigns across the globe. Unlike traditional ransomware groups, ShinyHunters focuses not only on encrypting systems but also on stealing sensitive corporate data for extortion purposes. ShinyHunters and Scattered Spider continue to conduct financially motivated operations targeting business networks strategically, with a global impact as of 2025.
2 See FINRA Cybersecurity Alert – Salesloft Drift AI Supply Chain Attack and FINRA Cybersecurity Alert – Salesforce Gainsight Security Incident for additional details.