Niklas Schubert’s Post

There was another breach to Salesforce environments this week, which continues to highlight the importance of the shared responsibility model. Leaning on my athletic background, in my opinion this also highlights why securing these environments is a team sport. It requires a true partnership between IT admins and security teams, with a strong vendor acting as the coach to provide the playbook. Recent data breaches often aren't the result of complex hacks, but simple configuration oversights. A recent Salesforce blog highlights a critical security area: Experience Cloud Guest User access. When organizations set up public facing sites, they unintentionally leave doors open, such as overly permissive sharing rules or view all permissions. These allow unauthenticated guests to access sensitive internal records. This is another example of why SaaS security is not a set it and forget it task; it’s a constant battle against configuration drift. As platforms evolve and business needs change, visibility alone isn’t enough. You need a dedicated security program to ensure that today’s quick fix doesn’t become tomorrow’s vulnerability.

𝗦𝗮𝗹𝗲𝘀𝗳𝗼𝗿𝗰𝗲 𝗘𝘅𝗽𝗲𝗿𝗶𝗲𝗻𝗰𝗲 𝗖𝗹𝗼𝘂𝗱 𝘀𝗲𝗰𝘂𝗿𝗶𝘁𝘆 𝗶𝘀 𝗯𝗮𝗰𝗸 𝗶𝗻 𝗳𝗼𝗰𝘂𝘀. Salesforce sites are currently under attack and customer data is being compromised. read on to know if you are impacted and how to mitigate. The current wave of attacks is a strong reminder that even when the platform itself is not the flaw, misconfiguration can still become a breach path. Public-facing Experience Cloud sites are designed to serve guest users. But when guest profiles, API access, visibility settings, or self-registration are too open, attackers may be able to enumerate data and query objects that were never meant to be exposed. The takeaway is not panic. It is discipline: 1. Audit guest user permissions 2. Remove unnecessary API access 3. Set external defaults to Private 4. Disable unnecessary user visibility 5. Review Event Monitoring for suspicious access patterns This incident demonstrates why secure configuration, continuous monitoring, and fast validation matter. If your organization uses Salesforce Experience Cloud, now is the time to review your public exposure.  𝗜𝗳 𝘆𝗼𝘂 𝘄𝗮𝗻𝘁 𝗵𝗲𝗹𝗽 𝗮𝘀𝘀𝗲𝘀𝘀𝗶𝗻𝗴 𝗿𝗶𝘀𝗸, 𝘃𝗮𝗹𝗶𝗱𝗮𝘁𝗶𝗻𝗴 𝗰𝗼𝗻𝘁𝗿𝗼𝗹𝘀, 𝗮𝗻𝗱 𝗵𝗮𝗿𝗱𝗲𝗻𝗶𝗻𝗴 𝘆𝗼𝘂𝗿 𝗲𝗻𝘃𝗶𝗿𝗼𝗻𝗺𝗲𝗻𝘁, 𝗰𝗼𝗻𝘁𝗮𝗰𝘁 𝘂𝘀. https://enforce.one/naore Salesforce Advisory: https://lnkd.in/dV93AFs6 #Salesforce #CyberSecurity #CloudSecurity #ExperienceCloud #SSPM #SecurityArchitecture #InfoSec #CRM #ThreatDetection #GenAI

‼️ We are facing yet another wave of Cyber attack ‼️ PLEASE - Read or listen to the attached and reach out to us in case of follow up questions. Better be safe then sorry :) Gary Matson Nir Asayas Mike Zalewski Loïc Mosse Amine Mehdi Mkacher Milan Mihic Kitso Ramatlo

🚨 Salesforce Experience Cloud Security Alert: What the ShinyHunters Attack Means for the Ecosystem A major cybersecurity story is unfolding in the Salesforce ecosystem. The cybercrime group ShinyHunters has claimed responsibility for a large-scale campaign targeting Salesforce Experience Cloud (formerly Community Cloud) portals used by many organizations. Here’s what’s happening 👇 🔍 How the attack works Attackers are scanning publicly accessible Experience Cloud sites and probing the Aura API endpoint (/s/sfsites/aura). If the Guest User Profile is misconfigured with excessive permissions, the attackers can query Salesforce objects without authentication. Using a modified version of AuraInspector (a tool originally built for security diagnostics), the attackers are able to enumerate data exposed through misconfigured portals. 📊 Scale of the campaign Reports suggest the group may have targeted hundreds of Salesforce Experience Cloud sites, allegedly extracting CRM data such as contact details, phone numbers, and internal information. Some reports mention ~400 websites and around 100 major organizations potentially impacted during this campaign. ⚠️ Important clarification Salesforce has indicated that this is not a platform vulnerability but rather an issue related to misconfigured guest access permissions in some Experience Cloud deployments. This highlights the shared responsibility model of SaaS security. 🛡️ Key takeaways for Salesforce Architects & Admins • Audit Guest User Profiles for excessive object permissions • Restrict guest access to explicitly shared records only • Review Experience Cloud sharing rules and Apex controllers • Monitor Aura endpoint activity and event logs • Disable unnecessary self-registration and public APIs 💡 My takeaway As Salesforce professionals, we often focus on building great experiences with Experience Cloud. But this incident is a strong reminder that security architecture is just as critical as functionality. In the era of AI agents, APIs, and open digital experiences, misconfigurations can become the biggest attack surface. If you work with Experience Cloud, now is a good time to run a quick Guest User Security Audit in your org. Curious to hear from the community: 👉 Have you reviewed your Guest User permissions recently? #Salesforce #ExperienceCloud #CyberSecurity #ShinyHunters #SalesforceSecurity #CRM #CloudSecurity 📚 References • BleepingComputer – ShinyHunters claims ongoing Salesforce Aura data theft attacks • The Hacker News – Threat Actors Mass-Scan Salesforce Experience Cloud via AuraInspector • CSO Online – Overly permissive guest settings put Salesforce customers at risk • SC Media – Salesforce confirms ShinyHunters exploited Experience Cloud sites

Ever feel like you need a virtual magnifying glass and a torch to figure out what’s actually happening in your Salesforce org? 🕵️♂️📉 Put away the detective gear, because Event Log Objects Analytics is officially here and GA! 🎉 Say goodbye to "visibility gaps" and hello to this beautiful dashboard. You can now get an unfiltered view of your org's activity in minutes. What can you do with it? 🚨 Catch data exfiltration red-handed (Who is exporting that massive report again?) ⚡ Optimize sluggish Apex code 🛡️ Monitor high-risk logins and security threats 📈 Drive user adoption Stop guessing and start seeing. Check out the link below to see how Salesforce Agentforce 360 Platform can help you turn the lights on in your org: 🔗 sforce.co/4bJCiDg #Salesforce #SalesforceAdmin #Agentforce #CyberSecurity #DataAnalytics #CRM

A Strategic Partner, Not Just a Tool Backup is often seen as a technical necessity, but Keepit elevates it to a strategic advantage. By ensuring data availability, companies can maintain operations, protect revenue, and build trust with customers. Keepit works closely with organizations to understand their needs and deliver tailored solutions. It’s not just about storing data — it’s about enabling business continuity. That’s what makes Keepit a true partner. #SaaS #DataProtection #BackupAndRecovery #CyberSecurity #ITInfrastructure #Salesforce #Keepit #LinkedInTech #GreenTech #ZeroTrust

Is Your Salesforce Instance Secretly Exposing Data? Your company uses Salesforce. But do you know exactly what your Salesforce uses? Managing Salesforce security posture is more than just checking permissions inside the CRM. As your ecosystem grows (connecting to hundreds of other tools via API) the real risk often lies in visibility and integration, not just the "default" configuration. You cannot secure what you can’t see. Secure Zona’s Salesforce SPM provides granular, automatic visibility across three critical layers: - Vendor Monitoring (Salesforce): Track critical security news, zero-day vulnerabilities, and major compliance changes related specifically to Salesforce as a platform, before they impact your operations. - Instance Security Hardening: Deep-dive into your specific settings for yourcompany.salesforce.com. We automatically audit against CIS Benchmarks and industry standards, checking for: - Multi-Factor Authentication (MFA) gaps. - Over-privileged admin accounts. - Publicly accessible files or data (DSPM/Data Security risks). - API & Integration Visibility: Discover every third-party application, shadow tool, and "zombie" extension connected to your Salesforce via API. Monitor data flow and close dangerous backdoors. Don't guess on your Salesforce security. Get the 360-degree picture. See how SecureZona hardens your critical CRM: www.securezona.com #Salesforce #SPM #CyberSecurity #ConfigurationManagement #Compliance #DataSecurity #InfoSec #API

Salesforce security is more critical than ever, especially with the advent of AI-powered attacks. Yet, it often falls outside the focus of central Security teams, whose attention is on platforms like Office 365 and AWS. The reality? Practical Salesforce security is owned by the business system teams — Salesforce Architects and Admins. Though Salesforce offers robust security tools, a universally accepted, practitioner-defined baseline for an adequate enterprise-scale posture has been missing... until now. A passionate group came together to create the Security Benchmark for Salesforce (SBS). This benchmark not only helps you understand your current security posture but also bridges the knowledge gap, helping Salesforce experts understand security and vice-versa. If you work with Salesforce or security in a Salesforce-using organization, I warmly recommend checking it out! https://lnkd.in/dEEpzeHK #SBS #Salesforce #Security

A massive data breach claim from the ShinyHunters threat group is raising serious concerns about Salesforce security configurations across enterprises. https://lnkd.in/gj9E8kdv According to the attackers, data from nearly 100 major organizations and almost 400 websites may have been accessed through misconfigured Salesforce Experience Cloud deployments. Organizations reportedly impacted include Snowflake, Okta, Sony, AMD, LastPass, and Salesforce itself. Key technical insights from the incident: • Attackers allegedly exploited a Salesforce guest user privilege escalation misconfiguration. • Excessive permissions enabled unauthenticated access to CRM data objects. • Threat actors modified AuraInspector, a security assessment tool developed by Mandiant. • Custom modifications helped bypass the 2,000-record extraction limit for guest users. • The campaign reportedly involved months of reconnaissance and exploitation. Salesforce has since urged organizations to audit guest user permissions, enforce least-privilege access, and disable unnecessary public API access to mitigate potential exposure. The incident highlights a recurring security challenge: cloud platform misconfigurations rather than core platform vulnerabilities. What’s your take - are enterprise SaaS misconfigurations becoming the biggest cloud security risk today? Share your thoughts below. #CyberSecurity #Salesforce #CloudSecurity #DataBreach #Infosec #ThreatIntelligence #ShinyHunters

My talk on secure external portal architecture today on Salesforce Security Hours, with Melissa Hill Dees, MBA, ended up being very timely given recent news of the Shiny Hunters breaches. Video coming soon. Shiny Hunters exploited common oversights in Salesforce Experience security configuration, the equivalent of locking your front door but leaving the side door wide open. When you build a portal outside of Salesforce, the responsibility is even weightier as you also must ensure appropriate row-level data access. Today I reviewed how Codality CTO Ryan McCloskey guaranteed that row-level security in Apex, how JWTs ensure user authorization across your portal tech stack with a single authentication, the importance of obscuring record Ids, and reviewed common drivers for building an external portal. I also shared the tools we used to secure a client portal for a $2.7B wealth management company, including an interesting comparison of Mulesoft versus AWS for the API based on our CPO Amit Kulkarni's experience. Special thanks to Tristan Lombard for coordinating and providing amazing Stage Mom support. If you're embarking on an external portal app or any development demanding more security expertise than you have in-house, DM me about a fractional architect engagement to ensure you don't become another security didactic tale. #SalesforceSecurity #CyberSecurity #DataSecurity #APISecurity #CloudSecurity