Salesforce.com acknowledged that a recent spate of targeted e-mail virus and phishing attacks against its customers resulted from one of its own employees falling for a phishing scam and turning over the keys to the company's customer database.
The company is remaining tight lipped about what will be seen by on premise vendors as a validation of saas/on-demand security issues. It has however acknowledged that some customers were sucked into the scam:
We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied. To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database.
...we strongly recommend that our customers implement the following changes to enhance security:
Modify your Salesforce implementation to activate IP range restrictions. This will allow users to access Salesforce only from your corporate network or VPN, thus providing a second factor of authentication.
Educate your employees not to open suspect emails and to be vigilant in guarding against phishing attempts
Use security solutions from leading vendors such as Symantec to deploy spam filtering and malware protection
Designate a security contact within your organization so that salesforce.com can more effectively communicate with you. Contact your salesforce.com representative with this information.
Consider using other two-factor authentication techniques including RSA tokens and others
Attend an educational Webinar on Thursday, November 8 in which our experts will walk you through these recommended changes and best practices. Visit www.salesforce.com/security for details.