In all the excitement over Google and Facebook, my usually eagle-eyed enterprisey colleagues missed that salesforce.com exposed some of its users to a phishing scam. The Washington Post says that:
Salesforce.com acknowledged that a recent spate of targeted e-mail virus and phishing attacks against its customers resulted from one of its own employees falling for a phishing scam and turning over the keys to the company's customer database.
The company is remaining tight lipped about what will be seen by on premise vendors as a validation of saas/on-demand security issues. It has however acknowledged that some customers were sucked into the scam:
We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied. To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database.
Parker Harris, EVP technology at salesforce.com is communicating with customers, explaining what it is doing and advising:
...we strongly recommend that our customers implement the following changes to enhance security: