Beginning in mid-2025, the threat actor group ShinyHunters, operating under the technical alias UNC6040, executed a sustained campaign targeting Salesforce environments across more than 700 organizations globally. The attack vector was consistent: voice phishing (vishing) calls impersonating IT support, combined with OAuth Device Flow abuse and misconfiguration exploitation, primarily targeting Salesforce Experience Cloud guest user profiles and Connected App permission scopes. The campaign has resulted in confirmed breaches at organizations including 7-Eleven, Instructure/Canvas, Vimeo, Wynn Resorts, Vercel, Crunchbase, SoundCloud, Betterment, Pandora, Stellantis, and Medtronic, among dozens of others. As of the date of this assessment, the campaign remains active.
This document is the first published Vordan External Posture Assessment (VEPA). It evaluates the observable accountability posture of Salesforce, Inc. in response to this campaign using six VEPA posture components as the evaluative standard. The VEPA is conducted entirely on the public record. It is a distinct instrument from the Vordan Accountability Framework (VAF) assessment, which requires direct organizational access and the formal workbook process. The relationship between these instruments is described in the Methodology section.
Central Finding
Salesforce's public response to an 18-month sustained campaign using its platform as a primary entry point reveals a structural accountability gap between the risk its customers absorb and the obligations Salesforce accepts under its published Shared Responsibility Model. The platform did not demonstrate proactive, timely, or comprehensive platform-level interventions commensurate with the scale and consistency of the threat. The controls most capable of detecting and preventing these intrusions were either absent from the standard license tier, released reactively, or positioned as customer-side responsibilities.
This is not a finding that Salesforce's infrastructure was breached. It was not. This is a finding that when 700+ of its customers were breached through a consistent, documented, platform-adjacent attack pattern over 18 months, Salesforce's observable response fell materially short of what an accountable platform operator would demonstrate.
Primary Gap
The Shared Responsibility Model, as currently constructed and communicated, distributes accountability in a manner that is structurally misaligned with the security engineering capacity of the customer base it governs. When the same attack vector succeeds against 700+ organizations, the model's allocation of responsibility requires reassessment, not merely re-communication.
Secondary Gap
The controls most directly relevant to detecting and preventing this campaign (Event Monitoring, advanced OAuth auditing, Connected App governance tooling) are gated behind Salesforce Shield, a paid add-on priced at up to 30% of a customer's existing Salesforce spend. Paywalling detection capability during an active, known campaign is an accountability gap, not a pricing decision.
Tertiary Gap
Salesforce's public security advisory, issued in March 2026, arrived approximately 9 months after the campaign's documented commencement in mid-2025. No public evidence exists of proactive, targeted outreach to at-risk customer segments prior to this advisory. The advisory consistently emphasized customer-side remediation without addressing platform-level default configuration changes.
Significant and multi-dimensional accountability deficits in Salesforce's observable response to the ShinyHunters/UNC6040 campaign. No component scored above 3.0. Two components scored below 2.0. Assessment confidence is high on four of six components based on substantial public evidence.
This assessment is conducted entirely on the public record. Findings reflect Salesforce's observable accountability posture as evidenced by public disclosures, regulatory filings, product documentation, third-party reporting, and contemporaneous security research. Vordan makes no claims regarding Salesforce's internal incident response operations. This document does not constitute legal advice.
Instrument Definition
This assessment is conducted under the Vordan External Posture Assessment (VEPA), Version 1.0. The VEPA is one of three distinct accountability instruments published by Vordan.
Vordan Instrument Registry
VAF Assessment
Requires direct organizational access. Uses the formal VAF workbook (v0.1). Produces an Accountability Gap Score out of 100. Requires signature gates and practitioner interviews.
VEPA
Public record only. No organizational access required. Produces a Posture Score on a 1–5 scale across six fixed components (P1–P6). This document is a VEPA.
Agentic Accountability Baseline (AAB)
Forthcoming. The standard for agentic AI accountability assessment specifically.
Assessment Basis
Principle I: Public Record Only
All findings derived exclusively from the public record. Independence from the assessed entity is the source of this assessment's credibility.
Principle II: Confidence Intervals are Mandatory
Every component score carries a stated 95% confidence interval reflecting evidentiary quality.
Principle III: Evidentiary Scope
Assessment period: mid-2025 through May 21, 2026. Evidence sources include Salesforce's own published advisories and Trust documentation; SEC filings; third-party threat intelligence (Mandiant/GTIG, Varonis, Mitiga, Vorlon, Bitsight, Sophos CTU); security journalism; regulatory advisories (FINRA); and published product and pricing documentation.
Principle IV: Absence as Evidence
The absence of a public record of action is itself an evidential finding. Applied with explicit labeling throughout.
Principle V: Right of Response
Salesforce is invited to submit evidence it believes would affect any component score. All submissions reviewed and evidentiary basis updated in a published revision if warranted.
VEPA Posture Components
P1: Traceability
Whether a clear, documented chain of awareness exists: when the entity first identified the threat, what it knew and when.
P2: Structural Accountability
Whether the entity's published governance model accurately reflects the actual distribution of risk, or systematically shifts burden onto parties less equipped to bear it.
P3: Response Adequacy
Whether the entity's observable response actions were commensurate in scope, speed, and substance with the documented threat.
P4: Governance Alignment
Whether the entity's security governance practices aligned with its published commitments and industry baseline standards.
P5: Disclosure Integrity
Whether the entity's public disclosures were accurate, complete, timely, and appropriately scoped regarding its own role in outcomes.
P6: Remediation Trajectory
Whether the entity has demonstrated a credible, documented trajectory toward closing the identified gaps through structural changes.
P1: TraceabilityScore: 2.2 | 95% CI: 1.9–2.6 | Confidence: High
Clarity of documented awareness chain: when Salesforce identified the campaign, what it knew, and when.
Findings
Finding P1-A: Advisory Lag
Third-party threat intelligence firms documented the ShinyHunters UNC6040 vishing campaign against Salesforce environments beginning in mid-2025. Salesforce's first public security advisory addressing the campaign is dated March 2026, approximately 9 months after the campaign's documented origin. No public evidence exists of earlier proactive customer advisories.
Finding P1-B: Mandiant Collaboration Timing
Mandiant CTO Charles Carmakal publicly confirmed collaboration with Salesforce on the AuraInspector misuse campaign in March 2026, stating they were working closely with Salesforce to provide detection rules to mitigate risk. The public record does not establish when Salesforce first engaged Mandiant on this campaign, creating a gap in the traceability chain.
Finding P1-C: No Disclosed Timeline
Salesforce's advisory and subsequent communications do not include a timeline of internal awareness: no disclosure of when the threat was first identified internally, when product teams were engaged, or when the advisory decision was made.
Whether Salesforce's governance model accurately reflects actual risk distribution or systematically displaces it onto less-equipped parties.
Findings
Finding P2-A: Shared Responsibility Model at Scale
A June 2025 Salesforce Ben administrator survey found that 73.5% of Salesforce admins did not know what the Shared Responsibility Model was. When the majority of the customer base administering the platform is unaware of the framework governing their security obligations, the model's accountability allocation is functionally misaligned with operational reality.
Event Monitoring: the tooling most directly relevant to detecting OAuth Device Flow abuse characteristic of this campaign: is available only through Salesforce Shield, priced at 10% of net Salesforce spend for Event Monitoring alone and up to 30% for the full suite. During an active, documented 18-month campaign, that tooling remained behind a paywall with no public evidence of temporary access extension.
Finding P2-C: OAuth Device Flow Design
The attack requires only that a user be deceived into authorizing a legitimate OAuth flow. Salesforce's OAuth consent model does not surface meaningful, plain-language warnings about what a Connected App authorization grants. The structural decision to maintain a frictionless OAuth experience rather than an accountable one is a design-level gap.
Whether Salesforce's observable response actions were commensurate in scope, speed, and substance with the documented threat.
Findings
Finding P3-A: Advisory Scope and Tone
Salesforce's March 2026 advisory consistently framed the issue as a customer-side configuration problem, stating the issue was "not due to any vulnerability inherent to our platform." While technically accurate, this framing, released 9 months into the campaign after hundreds of breaches, forecloses the structural accountability question entirely.
Finding P3-B: Remediation Guidance Scope
No advisory guidance addressed temporary restriction of OAuth Device Flow by default; enhanced consent UI for Connected App authorization; proactive scanning of customer orgs for known misconfiguration patterns; or automatic elevation of security monitoring during an active campaign. Guidance scope remained bounded by what requires customer action.
Finding P3-C: FINRA Advisory as Independent Signal
FINRA issued a cybersecurity alert specifically addressing the ShinyHunters Salesforce Experience Cloud campaign. FINRA's independent advisory was necessary because member firms could not rely on Salesforce's advisory cadence alone. This constitutes an independent signal of response adequacy failure at the platform level.
Whether Salesforce's security governance practices aligned with its published commitments and industry baseline standards during the campaign period.
Findings
Finding P4-A: Default Configuration Gap
The Experience Cloud guest user profile ships with configurations that, in many common deployment patterns, expose non-public data to unauthenticated users. Security documentation from multiple Salesforce ecosystem partners confirms misconfigured guest user profiles are among the most common security findings in Salesforce environments: structurally inconsistent with Salesforce's stated commitment that "Trust is our #1 core value."
Finding P4-B: MFA Mandate Gap
Salesforce's 2022 mandatory MFA requirement applies to direct UI login. The vishing attack vector specifically targets Connected App OAuth flows, which do not fall cleanly under the MFA mandate as implemented. The gap between the published mandate and its application to the specific attack surface exploited is a governance alignment finding.
Whether Salesforce reviewed its Connected App registration and permission-scoping defaults during the campaign is not determinable from the public record. Flagged for follow-on assessment.
Whether Salesforce's public disclosures were accurate, complete, timely, and appropriately scoped regarding its own role in outcomes.
Findings
Finding P5-A: Accuracy Without Completeness
Salesforce's statement that the issue was not due to any platform vulnerability is accurate. However, accuracy without completeness is a disclosure failure. The statement does not address whether platform design decisions, default configurations, pricing architecture, or advisory timeliness contributed to the scale of impact.
Finding P5-B: SEC Filing Review (Flagged)
Whether a campaign affecting 700+ Salesforce customers over 18 months appears in Salesforce's risk factor disclosures as a systemic platform risk is a disclosure integrity question flagged for follow-on review. No finding is made on Salesforce's compliance with its SEC disclosure obligations in this version.
Whether Salesforce proactively notified specific at-risk customer segments is not determinable from the public record. Explicitly unscored pending additional evidence.
Whether Salesforce has demonstrated a credible, documented path toward closing the identified gaps. Carries the widest confidence interval. Internal roadmap decisions are not publicly observable.
Findings
Finding P6-A: Advisory-Level Response Only
As of the date of this assessment, Salesforce's documented remediation response consists of a security advisory, customer guidance documentation, and collaboration with Mandiant on detection telemetry. No public announcement addresses changes to Experience Cloud guest user default configurations, OAuth Device Flow default availability, release of Shield Event Monitoring to the standard tier, or platform-level scanning for known misconfiguration patterns.
Finding P6-B: Agentforce Expansion Context
Salesforce's Shared Responsibility Model now explicitly extends to Agentforce features. As Salesforce expands into agentic AI environments, the structural accountability gaps identified in this assessment propagate forward into a higher-stakes operational context. The remediation trajectory finding is amplified by this forward risk.
Finding P6-C: Internal Roadmap (Unscored)
Salesforce's internal product and security roadmap is not public. Platform-level changes may be in development. This assessment cannot score what it cannot observe. Producing evidence of a committed structural remediation roadmap, not advisory-level guidance, would be the appropriate response to contest this score.
REF-002REF-015REF-016
Posture Score Scale
1.0–1.9: Strong accountability posture
2.0–2.9: Significant posture deficits
3.0–3.9: Systemic posture failure
4.0–5.0: No observable accountability
P1: Traceability
2.2
95% CI: 1.9 – 2.6
Confidence: High
P2: Structural Accountability
2.0
95% CI: 1.7 – 2.4
Confidence: High
P3: Response Adequacy
2.3
95% CI: 2.0 – 2.7
Confidence: High
P4: Governance Alignment
2.4
95% CI: 2.0 – 2.9
Confidence: Medium-High
P5: Disclosure Integrity
2.5
95% CI: 2.1 – 3.0
Confidence: Medium-High
P6: Remediation Trajectory
2.8
95% CI: 2.3 – 3.4
Confidence: Medium
VEPA Posture Score: VEPA-2026-001
2.1
95% CI: 1.7 – 2.6 | Unweighted mean of six posture components
Salesforce, Inc. scores 2.1: significant and multi-dimensional accountability deficits in its observable response. No component scored above 3.0, indicating Salesforce does not represent a complete accountability failure. No component scored below 2.0 on evidence grounds, indicating no area of exemplary accountability posture.
Score Interpretation Notes
The VEPA Posture Score is distinct from a VAF Accountability Gap Score. The VAF Gap Score is produced through direct organizational assessment using the formal workbook, practitioner interviews, and signature gates. The VEPA Posture Score reflects observable accountability posture from the public record alone.
P6 (Remediation Trajectory) carries the widest confidence interval (2.3–3.4) because remediation is partially a function of internal decisions not yet publicly announced. If Salesforce announces structural platform changes addressing the identified gaps, the P6 score will be revised in a published update.
P5 (Disclosure Integrity) includes a flagged sub-finding on SEC filing content not scored in this version. A comprehensive SEC filing review may revise the P5 score in either direction.
Salesforce is invited to submit evidence it believes would affect any component score. All submissions will be reviewed and the evidentiary basis updated accordingly in a published revision.
All findings in this assessment are grounded in the sources listed below. Evidence tags in the Component Findings section correspond to the identifiers here.
REF-001
Security Perspective on the Shared Responsibility Model
Salesforce Compliance Site: Official Salesforce documentation
Used in: P6: Shared Responsibility Model now explicitly extends to Agentforce, amplifying forward risk of unresolved structural gaps.
Evidentiary Scope Statement: This assessment relies exclusively on publicly available sources. No confidential, proprietary, or non-public information about Salesforce, Inc. was used. All URLs verified as accessible as of May 21, 2026. Vordan is not affiliated with any cited sources. Source citations do not imply endorsement of Vordan's findings.
Instrument: Vordan External Posture Assessment (VEPA) v1.0. Distinct from the VAF assessment, which requires direct organizational access. Full instrument specification: vordan.co/instruments/vepa
Assessment Version: VEPA-2026-001 v1.0 | Published: May 21, 2026 | Next review: Upon material new public evidence or Salesforce response.