Salesforce tight-lipped after phishing attack

The company has refused to give specific details of a breach, caused by phishers gaining an employee's password, which saw customers attacked
Written by Tom Espiner, Contributor

Salesforce.com is refusing to reveal details of a security breach caused when one of its employees surrendered their password in a phishing attack against the company.

Details of Salesforce.com's customers were stolen as a result of the password being surrended, the CRM services company admitted to customers on Monday.

But, when contacted by ZDNet.co.uk, the company refused to say whether any UK customers had been affected, whether any financial damage had occurred, and whether any disciplinary action had been taken against any employees as a result of the security incident. It offered no other comment on the matter.

Salesforce.com first noticed a possible security breach when it saw a rise in phishing attacks directed against customers "a couple of months ago". Upon investigation, the company found that one of its employees had been "tricked" into disclosing a password, allowing a customer list to be stolen, according to Monday's letter, which was sent to customers by executive vice president of technology Parker Harris.

"We learned that a Salesforce.com employee had been the victim of a phishing scam that allowed a Salesforce.com customer contact list to be copied," wrote Harris. "To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database."

The information in the contact list included individuals' names, company names, email addresses, telephone numbers of Salesforce.com customers and "related administrative data belonging to Salesforce.com", said Harris.

Once the phishers had the contact list, they attempted to phish Salesforce.com customers. "Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher," wrote Harris.

The domino effect continued. Not content with the security breaches already achieved, the phishers began to target Salesforce.com customers with malware. "A few days ago a new wave of phishing attempts that included attached malware — software that secretly installs viruses or keyloggers — appeared and seemed to be targeted at a broader group of customers," wrote Harris, who added that this fresh wave of attacks was what prompted Salesforce.com to publish the security letter.

Salesforce.com said it had been working with the group of affected customers "to enhance their security", and with law enforcement and industry experts to trace what had happened. It said it was monitoring and analysing logs to be able to alert customers who have been, or could still be, affected by the incident, and that it was "reinforcing [employee] security education, and tightening access policies within Salesforce.com".

Harris's letter recommended that customers activate IP address restrictions so users can only access Salesforce.com from the corporate network or VPN, educate employees about phishing, and deploy email filtering and anti-malware software. Customers should also designate a security contact to liaise with Salesforce.com, consider using two-factor authentication, and attend a security webinar on 8 November on Salesforce.com's website.

Mark Sunner, chief technology officer for email-filtering company MessageLabs, claimed that Salesforce.com had "had an issue with the message filtering", and an issue with disseminating security information to employees. He recommended companies use a mixture of education and technical means to mitigate corporate data-theft phishing attacks.

"Employees have to be very sceptical about any requests for information over email, IM or telephone," said Sunner. "You have to have message filtering, but also educate people that this bad stuff is out there." Sunner added that users need to be aware that posts on social-networking sites such as Facebook could be used by phishers to harvest information.

Editorial standards