Here’s a fun fact about data breaches: they almost never start the way you’d imagine.
No sophisticated zero-day exploit. No team of hoodie-clad hackers in a darkened server room. The Aura breach, confirmed on March 17, 2026, and affecting roughly 900,000 users, started with a phone call. Someone called an Aura employee, pretended to be someone they weren’t, and talked their way into access. One hour of unauthorised access. 900,000 records. Names, email addresses and, for a smaller group of active and former customers, home addresses, phone numbers and IP addresses.
No passwords. No financial data. But plenty of ammunition for what comes next: targeted phishing, social engineering and follow-on attacks on the people whose details were just handed over.
If you’re a founder or operator using Salesforce for your CRM or marketing stack, this one’s for you, and it’s a story about more than just Aura.
This Is Bigger Than One Breach
The Aura incident doesn’t exist in isolation. It’s part of a broader hacking campaign by a group called ShinyHunters, which has been targeting Salesforce Marketing Cloud and Experience Cloud customers since September 2025. According to security researchers, between 300 and 400 organisations have been affected – including around 100 high-profile ones.
The attack method is worth understanding, because it’s clever. The hackers used a modified version of a legitimate security tool called AuraInspector – originally developed by Mandiant – to scan public-facing Salesforce sites for misconfigured guest user permissions. Where those misconfigurations existed, they could extract data through an API endpoint without needing to break anything. They just walked through a door someone had accidentally left open.
Salesforce has been clear that there’s no vulnerability in the platform itself. The issue is configuration, specifically, the way some businesses have set up guest user access. That’s both reassuring and slightly uncomfortable, because it means the responsibility sits with the businesses using the platform, not Salesforce.
Which brings us to the practical part.
Is Your Salesforce Instance Actually Secure?
If your business uses Salesforce – and a huge number of startups and scaleups do, given how dominant it is in the CRM space – there are specific steps you should be taking right now, not next quarter.
Salesforce has issued its own guidance, and the headline recommendation is this: disable “API Enabled” in your guest user profiles. This blocks unauthenticated queries to the Aura endpoint that ShinyHunters exploited. It’s a single setting change, and if you haven’t done it, now is the time to do so.
Beyond that, the checklist looks like this. Set your org-wide sharing defaults to Private rather than Public. Enable Secure guest user record access. Strip guest profiles back to the minimum objects and fields they actually need – if a guest user doesn’t need access to something, remove it. Disable self-registration if you’re not actively using it. Uncheck Portal and Site User Visibility settings. And review your Aura event logs for any suspicious activity over the past few months.
If you have an Experience Cloud site, audit it immediately. Run AuraInspector on your own instance to check what a potential attacker would see from the outside.
More from Cybersecurity
- How AI And Hacking Professionalism Are Overwhelming Endpoint Security
- Navigating The Hidden Dangers Of USB Devices In The Modern Workspace
- VCs Investing In Cybersecurity In 2026
- CredShields Contributes to OWASP’s 2026 Smart Contract Security Priorities
- MomentProof Deploys Patented Digital Asset Protection
- One Identity Unveils Major Upgrade To Identity Manager, Strengthening Enterprise Identity Security
- Airlock Digital Announces Independent TEI Study Quantifying Measurable ROI And Security Impact
- Who Are The World’s Most Cyber-Resilient Countries?
The Vishing Problem Nobody Talks About Enough
Let’s go back to that phone call for a moment, because it’s the part of this story that gets glossed over in most coverage.
Voice phishing – aka vishing – is one of the most effective and underestimated attack vectors in cybersecurity right now. It doesn’t require any technical sophistication. It requires confidence, a convincing story and a target who hasn’t been trained to be sceptical. The Aura employee who took that call presumably wasn’t being careless – they were merely doing their job and someone exploited that.
For startups and growing businesses, this is where the real vulnerability often lies. You can have the most secure Salesforce configuration in the world, but if someone can phone your customer support team and talk their way into a system reset, the dangers in your workplace may be more human than technical. Staff training on social engineering, clear internal verification protocols and a culture where it’s acceptable to say “let me call you back on your registered number” are not optional extras. They’re basic hygiene.
What To Do If You Think You’ve Been Affected
If you’re a business whose customer data sits in Salesforce Marketing Cloud, treat this as a prompt to audit rather than panic. The steps above will significantly reduce your exposure. But there are a few additional things worth doing.
Monitor for phishing attempts that reference the Aura breach specifically – attackers often use breach news to add credibility to follow-on scams. Brief your team. Consider a targeted communication to customers if you believe their data may have been involved. And if you don’t already have anti-malware and endpoint protection across your business devices, now is a very good time to sort that out.
Data breaches are rarely the catastrophic, cinematic events they’re portrayed as. More often, they’re the result of a small configuration error, a moment of misplaced trust, or a door that was left ajar. The good news is that those are exactly the kinds of problems that are fixable – if you’re paying attention.
Start paying attention.
