Recently, the hacking group ShinyHunters targeted public-facing Salesforce sites. Rather than exploiting a system flaw, they used automated tools to identify environments where guest user settings were left too permissive. By simply acting as anonymous visitors, they were able to scrape and exfiltrate massive amounts of sensitive data.
This incident serves as a critical wake-up call: even on a world-class platform like Salesforce, security is a shared responsibility. While Salesforce continuously invests in infrastructure protection and anomaly detection, the ultimate defense of your data lies in robust configuration hygiene.
Salesforce has issued immediate guidance for customers in their Blog. Below, we break down these hardening steps and show how our SSPM detections automate the auditing of these configurations to prevent security drift.
1. Enforcing a private data foundation
- The Hardening: Set Org-Wide Defaults (OWD) to Private and audit guest configurations.
- Why it works : If OWD is set to Public, guest users inherit access to internal records by default. Private ensures the door is locked, requiring explicit permission for any data to be seen.
- Built-in SSPM detection : Guest user access security hardening
- It continuously verifies that Secure guest user record access is enabled, preventing anonymous data leaks.
2. Neutralizing identity theft through masking
- The Hardening : Enable Show Nicknames and review Enhanced Personal Information Masking (EPIM).
- Why it works : Real names are a goldmine for social engineering. Nicknames and EPIM mask standard User fields, ensuring that even if an attacker successfully crawls your site members, they retrieve useless aliases instead of sensitive PII.
- Built-in SSPM detection : Showing user nicknames for identity protection
- This ensures users’ real names for other site members.
3. Blinding reconnaissance and data discovery
- The Hardening : Enable Profile Filtering and disable Portal/Site User Visibility
- Why it works : With these configurations on, guest users can not enumerate internal organization members and see all profile names, which allows attackers to map internal hierarchy and identify high value targets.
- Built-in SSPM detections : User profile visibility filtering / Disable community user visibility / Do not enable Portal User Visibility
- These detections ensure that guests cannot see the structure of your internal roles or user lists and enumerate public user records.
4. Leat privilege
- The Hardening : Disable public APIs by unchecking Allow guest users to access public APIs and API Enabled in the guest profile.
- Why it works : Most large-scale breaches utilize API endpoints to bypass UI limits and exfiltrate data out at high speed. Unauthenticated guests rarely have a legitimate need for programmatic API access.
- Built-in SSPM detection : Guest profile API access restriction
- This detection flags any Guest profile that has unnecessarily high-powered API permissions, cutting off the primary tool used for automated mass exfiltration.
5. Preventing Privilege Escalation
- The hardening : Disable self registration if not strictly required for your business.
- Why it works : Attackers can exploit misconfigurations to self-register accounts, escalating their status from a guest user to an authenticated user to gain broader data access.
- Built-in SSPM detection : Guest self registration restriction
- This detection identifies sites where self registration is enabled, allowing admins to verify if this risk is truly necessary or if it should be disabled to harden the perimeter.
Immediate action required
Salesforce recommends that all customers immediately audit their guest user permissions. Our SSPM tool provides an instant, comprehensive view of these settings across all your sites, ensuring that your organization is not just compliant today, but secure against the threats of tomorrow.
Hardening your guest gate is no longer optional -it is the first line of defense in a rapidly evolving threat landscape.
