Scenario

A user is a victim of XSS and their objectId and any other information tied to their account is grabbed and sent to a malicious actor. This actor uses their info to perform malicious API requests on REST APIs that are built into the site that use the ObjectId, creating bad data in Backendless.

Is there a way to regenerate a user’s objectId so that it invalidates the attacker’s stolen information?

Are your data tables configured to allow access to not authenticated users? If the access is restricted to only logged in users, the scenario you described is highly unlikely.

To “change” user’s objectId, you should replicate the user’s record in the database and delete the original record.

Regards,
Mark