Salesforce Hacks 2026: Everything We Know So Far

The campaign of data theft attacks targeting Salesforce customers, which started late last year, has continued into 2026. Like in 2025, a number of big-name Salesforce customers report falling victim to attacks ā€“ this time with threat actors exploiting customersā€™ ā€œoverly permissiveā€ Experience Cloud guest user configurations.Ā 

Some companies that have reported breaches do not name Salesforce directly when they reveal the incidents, instead opting for phrasing like ā€œthird-party CRMā€. Bearing that in mind, here is a roundup of the 2026 incidents we know of so far.

Timeline: 2026 Salesforce HacksĀ 

January 19: US-based food delivery platform Grubhub confirmed a data breach, with the online hacking group that targeted Salesforce data, ShinyHunters, allegedly behind the attack.

February 16: Netherlands-based mobile telecommunications company Odido (formerly T-Mobile) is named as a victim of social engineering attacks involving Salesforce instances.Ā 

SF Ben also reports that hackers have started exploiting a vulnerability in software from BeyondTrust, a cybersecurity and identity access company that integrates with Salesforce

March 7: Salesforce reveals in a blog that Salesforce Security has been tracking an ā€œincrease in threat actor activityā€ which targets misconfigurations of publicly accessible sites ā€“ specifically, a campaign exploiting customersā€™ ā€œoverly permissiveā€ Experience Cloud guest user configurations.

March 9: Reports emerge saying that the ShinyHunters extortion group are claiming to be actively exploiting a new bug to steal data from instances. ShinyHunters says they compromised around 100 high-profile companies.

That same day, SF Ben publishes an article outlining how hackers have allegedly exfiltrated more than 3.9M internal records linked to around 400,000 users from legal data company LexisNexis.

March 10: Canadaā€™s largest grocer and pharmacy retailer Loblaw writes a post revealing that it is investigating a data breach. The company identified ā€œsuspicious activity on a contained, non-critical part of its IT networkā€ and discovered that a criminal third-party accessed ā€œsome basic customer informationā€ like names, phone numbers, and email addresses.

March 12: Salesforce writes in a trust site post that it is monitoring threat activity targeting public-facing Experience Cloud sites, which include attempts to take advantage of ā€œoverly permissive guest user configurationsā€.

March 18: SF Ben publishes a story outlining how Loblaw has been affected by a data breach that allegedly includes 75.1M Salesforce customer records, 19.3M Oracle IDCS user identity records, and more.

March 24: Infinite Campus warns customers of a data breach, saying that hackers accessed an employeeā€™s Salesforce account, exposing information that was mostly publicly available, according to Bleeping Computer. ShinyHunters claimed the attack on its dark web site.

March 31: SF Ben publishes an article revealing how Axios has been injected with malicious software. This attack is known as a ā€˜supply chainā€™ attack as it isnā€™t targeting any one particular business, industry, or software. It attacks the building blocks of these things instead.

ShinyHunters also claim Hallmark as their next victim. SF Ben reports that 7.9M Salesforce records containing PII and other internal corporate data have reportedly been compromised.

Protect Your Data from Experience Cloud Danger

Salesforce is advising customers to review their Experience Cloud guest user settings and take the following immediate recommended actions:

  • Audit Guest User Configurations: Review guest user profile to ensure it is restricted to the absolute minimum objects and fields required.Ā 
  • Set Org Wide Defaults to ā€œPrivateā€: In Sharing Settings, make sure that the org-wide defaults for all objects are set to Private for external users.Ā 
  • Disable Public APIs: In the guest user profileā€™s System Permissions, uncheck ā€œAPI Enabledā€.Ā 
  • Restrict Visibility: Uncheck ā€œPortal User Visibilityā€ and ā€œSite User Visibilityā€ in Sharing Settings.
  • Disable Self-Registration If Not Required: If your site does not need unauthenticated visitors to create their own accounts, disable self-registration.Ā 

This is an ongoing campaign, and this article will be updated to reflect the latest news.Ā 

Have you been affected by the hacks? Email us at tips@salesforceben.com

The post Salesforce Hacks 2026: Everything We Know So Far appeared first on Salesforce Ben.

Leave a Reply

Your email address will not be published. Required fields are marked *