Is your Salesforce Experience Cloud exposed? FINRA says check

Is your financial institution at risk? 

It’s important to recognize that Salesforce itself remains secure and the security risk isn't in the product itself, but rather how it’s configured. The threat actor group is scanning sites for one specific weakness: guest user profiles configured with broader access than the site actually needs. When a guest profile can query Salesforce objects that were never meant to be public, the attacker pulls names, phone numbers, and contact records directly from the platform without ever logging in.

That data then fuels the follow-on attack. The threat actor uses it to launch targeted phishing and vishing (voice phishing) campaigns against your customers, employees, and support staff. The 2025 Salesloft Drift and Gainsight incidents followed the same pattern.

‍Salesforce confirmed the activity on March 7, 2026, and updated its guidance a few days later with additional configuration scenarios at risk. The platform itself is not the issue. The exposure lives in customer-configured settings, which puts the responsibility for closing the gap on every firm running Experience Cloud.

Why this matters for banks, credit unions, lenders, and wealth firms

First, the data inside your Experience Cloud portals is exactly what social engineers want. Member contact details, loan application data, case records. Once exfiltrated, that information powers convincing impersonation attacks against the customers who trust you to protect them.

Second, FINRA has pointed its member firms back to the Third-Party Risk Landscape section of the 2026 FINRA Annual Regulatory Oversight Report. The controls regulators expect are the same controls that would have prevented this exposure. A breach traced back to a misconfigured guest profile is a breach you'll have to explain.

The misconfigurations that create the risk

The vulnerable pattern is consistent:

• Guest user profiles with broader object permissions than the site actually needs
• "Allow guest users to access public APIs" left enabled, keeping the Aura endpoint open to unauthenticated queries
• Org-wide defaults not set to Private for external users
• Field-Level Security on Contact, Case, and custom objects not locked down to what guests genuinely need
• Self-registration enabled on sites that don't require it
• Profile Filtering disabled, letting guests enumerate internal users

Most teams don't know the current state of these settings without a deliberate audit. Configuration drift over months and years is the norm, especially in environments where multiple admins have made small changes over time.

How to find out where you stand

This is the kind of risk our partnership with Hubbl is meant to identify. A Hubbl scan analyzes your orgs metadata and reports back on security posture, configuration issues, and permission gaps, with each finding tied to a specific object and setting. The output is a prioritized list of what to fix and where, which gives your team a clear path to address the items called out in the Salesforce security guidance.

If you run any public-facing Experience Cloud site, this is worth doing this quarter. If you're a financial services firm, this is worth doing this week.