A sustained campaign of data theft attacks against users of the Salesforce platform has escalated in the first quarter of 2026. Following a pattern established in late 2025, multiple high-profile organizations have reported breaches, with attackers now focusing on a common weakness: improperly configured guest access in Salesforce Experience Cloud.

While some affected companies refer only to a "third-party CRM" in disclosures, the pattern points clearly to Salesforce. Here’s what we know about the escalating situation.

The Attack Vector: Experience Cloud Misconfigurations

At the heart of the 2026 campaign is the exploitation of "overly permissive" guest user settings within Salesforce Experience Cloud (formerly Community Cloud). These public-facing sites, if not locked down, can provide a gateway for threat actors to access sensitive data.

Salesforce itself has issued multiple alerts, urging customers to audit and harden their guest user profiles immediately.


Timeline of Key Incidents in 2026

The hacking group ShinyHunters appears central to many of these attacks, claiming responsibility for several major breaches.

  • January 19: Food delivery giant Grubhub confirms a data breach, linked to ShinyHunters.
  • February 16: Dutch telecom Odido (formerly T-Mobile) is named a victim of social engineering targeting Salesforce.
  • March 7: Salesforce publishes a blog warning of increased activity targeting misconfigured public sites.
  • March 9: ShinyHunters claims to be exploiting a new bug, compromising roughly 100 companies. Separately, reports indicate over 3.9 million records were exfiltrated from LexisNexis.
  • March 10: Canadian retailer Loblaw discloses it is investigating a breach of basic customer info.
  • March 18: Reports emerge that the Loblaw breach may involve a staggering 75.1 million Salesforce records.
  • March 24: Infinite Campus warns that an employee's Salesforce account was breached. ShinyHunters claims responsibility.
  • March 31: The group claims a new victim, Hallmark, with 7.9 million Salesforce records reportedly compromised. The same day, a supply-chain attack involving malicious software injected into Axios is reported.


How to Protect Your Organization Now

Salesforce recommends immediate action to secure Experience Cloud sites. Key steps include:

  • Audit Guest User Profiles: Restrict permissions to the absolute minimum required objects and fields.
  • Set Org-Wide Defaults to "Private": Ensure sharing settings for all objects are Private for external users.
  • Disable Public APIs for Guests: In the guest user profile, uncheck "API Enabled" in System Permissions.
  • Restrict User Visibility: Turn off "Portal User Visibility" and "Site User Visibility" in Sharing Settings.
  • Disable Self-Registration: If not needed, prevent unauthenticated visitors from creating accounts.


This remains a developing story. This article will be updated as new information becomes available.