In all the excitement over Google and Facebook, my usually eagle-eyed enterprisey colleagues missed that salesforce.com exposed some of its users to a phishing scam. The Washington Post says that:
Salesforce.com acknowledged that a recent spate of targeted e-mail virus and phishing attacks against its customers resulted from one of its own employees falling for a phishing scam and turning over the keys to the company's customer database.
The company is remaining tight lipped about what will be seen by on premise vendors as a validation of saas/on-demand security issues. It has however acknowledged that some customers were sucked into the scam:
We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied. To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database.
Parker Harris, EVP technology at salesforce.com is communicating with customers, explaining what it is doing and advising:
...we strongly recommend that our customers implement the following changes to enhance security:
- Modify your Salesforce implementation to activate IP range restrictions. This will allow users to access Salesforce only from your corporate network or VPN, thus providing a second factor of authentication.
- Educate your employees not to open suspect emails and to be vigilant in guarding against phishing attempts
- Use security solutions from leading vendors such as Symantec to deploy spam filtering and malware protection
- Designate a security contact within your organization so that salesforce.com can more effectively communicate with you. Contact your salesforce.com representative with this information.
- Consider using other two-factor authentication techniques including RSA tokens and others
- Attend an educational Webinar on Thursday, November 8 in which our experts will walk you through these recommended changes and best practices. Visit www.salesforce.com/security for details.