Salesforce Hacks 2026: Everything We Know So Far


The campaign of data theft attacks targeting Salesforce customers, which started late last year, has continued into 2026. Like in 2025, a number of big-name Salesforce customers report falling victim to attacks – this time with threat actors exploiting customers’ “overly permissive” Experience Cloud guest user configurations. 

Some companies that have reported breaches do not name Salesforce directly when they reveal the incidents, instead opting for phrasing like “third-party CRM”. Bearing that in mind, here is a roundup of the 2026 incidents we know of so far.

Timeline: 2026 Salesforce Hacks 

January 19: US-based food delivery platform Grubhub confirmed a data breach, with the online hacking group that targeted Salesforce data, ShinyHunters, allegedly behind the attack.

February 16: Netherlands-based mobile telecommunications company Odido (formerly T-Mobile) is named as a victim of social engineering attacks involving Salesforce instances. 

SF Ben also reports that hackers have started exploiting a vulnerability in software from BeyondTrust, a cybersecurity and identity access company that integrates with Salesforce

March 7: Salesforce reveals in a blog that Salesforce Security has been tracking an “increase in threat actor activity” which targets misconfigurations of publicly accessible sites – specifically, a campaign exploiting customers’ “overly permissive” Experience Cloud guest user configurations.

March 9: Reports emerge saying that the ShinyHunters extortion group are claiming to be actively exploiting a new bug to steal data from instances. ShinyHunters says they compromised around 100 high-profile companies.

That same day, SF Ben publishes an article outlining how hackers have allegedly exfiltrated more than 3.9M internal records linked to around 400,000 users from legal data company LexisNexis.

March 10: Canada’s largest grocer and pharmacy retailer Loblaw writes a post revealing that it is investigating a data breach. The company identified “suspicious activity on a contained, non-critical part of its IT network” and discovered that a criminal third-party accessed “some basic customer information” like names, phone numbers, and email addresses.

March 12: Salesforce writes in a trust site post that it is monitoring threat activity targeting public-facing Experience Cloud sites, which include attempts to take advantage of “overly permissive guest user configurations”.

March 18: SF Ben publishes a story outlining how Loblaw has been affected by a data breach that allegedly includes 75.1M Salesforce customer records, 19.3M Oracle IDCS user identity records, and more.

March 24: Infinite Campus warns customers of a data breach, saying that hackers accessed an employee’s Salesforce account, exposing information that was mostly publicly available, according to Bleeping Computer. ShinyHunters claimed the attack on its dark web site.

March 31: SF Ben publishes an article revealing how Axios has been injected with malicious software. This attack is known as a ‘supply chain’ attack as it isn’t targeting any one particular business, industry, or software. It attacks the building blocks of these things instead.

ShinyHunters also claim Hallmark as their next victim. SF Ben reports that 7.9M Salesforce records containing PII and other internal corporate data have reportedly been compromised.

Protect Your Data from Experience Cloud Danger

Salesforce is advising customers to review their Experience Cloud guest user settings and take the following immediate recommended actions:

  • Audit Guest User Configurations: Review guest user profile to ensure it is restricted to the absolute minimum objects and fields required. 
  • Set Org Wide Defaults to “Private”: In Sharing Settings, make sure that the org-wide defaults for all objects are set to Private for external users. 
  • Disable Public APIs: In the guest user profile’s System Permissions, uncheck “API Enabled”. 
  • Restrict Visibility: Uncheck “Portal User Visibility” and “Site User Visibility” in Sharing Settings.
  • Disable Self-Registration If Not Required: If your site does not need unauthenticated visitors to create their own accounts, disable self-registration. 

This is an ongoing campaign, and this article will be updated to reflect the latest news. 

Have you been affected by the hacks? Email us at tips@salesforceben.com

Leave a Reply

Your email address will not be published. Required fields are marked *