Salesforce published this blog post a couple months ago, I think as a response to all of the activity from ShinyHunters: https://www.salesforce.com/blog/protecting-your-data-essential-actions-to-secure-experience-cloud-guest-user-access/ It states: "In your site settings, disable Allow guest users to access public APIs. In the guest user profile’s System Permissions, uncheck API Enabled. This is the highest-impact single change you can make. It closes the Aura endpoint to unauthenticated API queries, which is the exact vector used in this campaign." The API Enabled permission controls access to Salesforce's REST API, but it doesn't control access to the aura endpoints used by ShinyHunters. You can test this yourself by running the AuraInspector tool that they mention, or use BurpSuite: https://www.enumerated.ie/index/salesforce#extract Am I an idiot and missing something here?…