salesforce.com users exposed to phishing scam

In all the excitement over Google and Facebook, my usually eagle-eyed enterprisey colleagues missed that salesforce.com exposed some of its users to a phishing scam.

salesforce.com

In all the excitement over Google and Facebook, my usually eagle-eyed enterprisey colleagues missed that salesforce.com exposed some of its users to a phishing scam. The Washington Post says that:

Salesforce.com acknowledged that a recent spate of targeted e-mail virus and phishing attacks against its customers resulted from one of its own employees falling for a phishing scam and turning over the keys to the company's customer database.

The company is remaining tight lipped about what will be seen by on premise vendors as a validation of saas/on-demand security issues. It has however acknowledged that some customers were sucked into the scam:

We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied. To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database.

Parker Harris, EVP technology at salesforce.com is communicating with customers, explaining what it is doing and advising:

...we strongly recommend that our customers implement the following changes to enhance security:

    • Modify your Salesforce implementation to activate IP range restrictions. This will allow users to access Salesforce only from your corporate network or VPN, thus providing a second factor of authentication.
    • Educate your employees not to open suspect emails and to be vigilant in guarding against phishing attempts
    • Use security solutions from leading vendors such as Symantec to deploy spam filtering and malware protection
    • Designate a security contact within your organization so that salesforce.com can more effectively communicate with you. Contact your salesforce.com representative with this information.
    • Consider using other two-factor authentication techniques including RSA tokens and others
    • Attend an educational Webinar on Thursday, November 8 in which our experts will walk you through these recommended changes and best practices. Visit www.salesforce.com/security for details.

Newsletters

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.
See All