On Wednesday, March 11, 2026, the cybersecurity landscape was shaken once again as the threat actor group known as ShinyHunters claimed responsibility for a massive breach targeting Salesforce customers. This announcement has sent ripples through the small to mid-sized business (SMB) community, many of whom rely on Salesforce as the backbone of their customer relationship management and operations. However, as the details emerge, a familiar and frustrating pattern is becoming clear: this wasn't a failure of Salesforce’s underlying security code. It was a failure of configuration.

At B&R Computers, we have seen this story play out dozens of times. Companies invest heavily in top-tier cloud platforms, assuming that the brand name alone guarantees safety. In reality, the "Shared Responsibility Model" of cloud computing means that while Salesforce secures the building, you are responsible for locking the doors and windows. In this latest incident, the doors weren't just unlocked; in many cases, they were wide open for anyone to walk through.

The ShinyHunters Claim: What Actually Happened?

The report released on March 11, 2026, indicates that ShinyHunters: a group infamous for high-profile data thefts: gained access to sensitive customer data by exploiting misconfigured Salesforce Experience Cloud sites. These sites, formerly known as Community Cloud, allow businesses to create portals for customers, partners, and employees.

The attackers didn't use a "zero-day" exploit or a sophisticated bypass of Salesforce’s encryption. Instead, they utilized what is known as an "Identity-First" attack. By targeting the way guest user permissions are handled within these cloud environments, they were able to query and export massive amounts of data that should have been restricted to internal eyes only. For many SMBs, the realization that their own setup choices led to this exposure is a hard pill to swallow, but it is an essential lesson in modern cybersecurity.

It Wasn’t a "Hack": It Was a Misconfiguration

The term "hack" often implies a technical vulnerability in the software. In the case of the 2026 Salesforce breach, the software performed exactly as it was configured to. The issue lies in the guest user permissions. When businesses set up an Experience Cloud site, they often prioritize ease of use and "frictionless" access for their users. In doing so, they inadvertently grant guest users: who are essentially unauthenticated internet visitors: permission to view records they have no business seeing.

The ShinyHunters group identified sites where guest users were granted "Read" access to objects like Leads, Contacts, and even internal Case files. Because these configurations are often buried deep within the Salesforce Setup menu, many IT managers at smaller firms aren't even aware they exist. This is exactly why we often ask our clients: Are your everyday tools making you vulnerable?

The Rise of 'Identity-First' Attacks

In 2025 and leading into 2026, we have seen a pivot in how attackers operate. They are no longer just looking for "bugs" in code; they are looking for "identities" to exploit. An Identity-First attack focuses on the credentials, permissions, and tokens that govern access. If an attacker can convince the system that they are a legitimate guest or a sanctioned third-party app, they can bypass almost every other security layer.

We saw precursors to this throughout 2025. Groups like UNC6040 used voice phishing (vishing) to trick employees into authorizing malicious OAuth applications. By the time the employee realized something was wrong, the attacker already had a persistent "token" that allowed them to download data without ever needing a password or an MFA code again. The 2026 ShinyHunters breach is an evolution of this tactic, moving from phishing individuals to simply harvesting data from misconfigured public-facing portals.

Why SMBs are the Primary Target

While major corporations like Google and Coca-Cola have faced these configuration issues in the past, ShinyHunters often targets SMBs because they lack the dedicated security operations centers (SOC) required to audit these complex cloud environments. Many small businesses operate on the "set it and forget it" mentality. Once Salesforce is integrated with their email and billing, they rarely go back to check if a guest user permission update in a new Salesforce release has changed their security posture.

At B&R Computers, we advocate for a different approach. Cloud security is not a one-time event; it is a continuous process of management and auditing. Without regular oversight, your Cloud IT services can quickly become your greatest liability.

Actionable Advice: How to Secure Your Cloud Environment

If your business uses Salesforce or any similar cloud-based CRM, you must take immediate action to ensure you aren't the next victim of an identity-based data theft. Here is the framework we recommend to our clients:

1. Audit Your Guest User Permissions

Navigate to your Salesforce Setup and look at your Experience Cloud settings. Specifically, review the "Guest User Profile" for each of your public sites. Ensure that "View All" and "Modify All" permissions are disabled for all objects. Salesforce has introduced many "Secure Guest User Record Access" settings over the last few years; if you haven't enabled them, you are likely at risk. You can start by performing your own DIY cybersecurity audit, but for a platform as complex as Salesforce, professional help is often necessary.

2. Restrict OAuth and Connected Apps

Attackers love "Connected Apps." These are integrations between Salesforce and other tools (like your marketing automation or accounting software). Review every app that has been granted access to your Salesforce instance. If you don't recognize an app, or if an app hasn't been used in months, revoke its access immediately. Ensure that you have policies in place for token rotation and that you are not allowing apps to bypass MFA.

3. Move Toward a Zero Trust Model

The "Zero Trust" model assumes that no one: inside or outside the network: is trusted by default. Access should only be granted on a "least privilege" basis. If a user only needs to see their own support cases, they shouldn't have access to the entire "Cases" object. Implementing Zero Trust at the identity layer is the single most effective way to stop ShinyHunters and similar groups in their tracks.

How B&R Computers Manages These Risks

Managing the security of a platform like Salesforce is a full-time job. Most SMB owners are too busy growing their business to worry about whether a guest user permission was accidentally checked during a platform update. That is where we come in. B&R Computers specializes in cybersecurity solutions designed specifically for the mid-market. We don't just "install antivirus"; we manage your entire identity and cloud configuration posture.

We provide proactive monitoring, regular permission audits, and identity management strategies that ensure your cloud tools remain assets rather than liabilities. In the wake of the March 11 breach, we are currently helping our clients verify their configurations and close the gaps that ShinyHunters is looking to exploit.

Conclusion: The Perimeter is Identity

The Salesforce breach of 2026 is a stark reminder that the traditional "firewall" is dead. In the cloud era, your configuration is your perimeter. If your identity management is weak, your data is public. Don't wait for a ransom note or a report from a threat actor to find out that your guest permissions were set incorrectly.

Take control of your security today. Whether you need a deep dive into your Salesforce configuration or a total overhaul of your cloud security strategy, B&R Computers is here to help you navigate these complex risks with confidence.

Are you worried your cloud configuration might be exposing your data?

Don't leave your security to chance. Take the first step toward a more resilient business by using our free resources below:

• Book a Strategy Session: Speak with our experts to identify gaps in your current setup. Book your Free Cyber Strategy Session here.
• Get the Playbook: Download our comprehensive guide to securing your business. Download the Free SMB Cyber Playbook & Checklist.

For more information about our services and how we protect businesses like yours, visit our homepage or learn more about B&R Computers.