Salesforce tight-lipped after phishing attack

The company has refused to give specific details of a breach, caused by phishers gaining an employee's password, which saw customers attacked is refusing to reveal details of a security breach caused when one of its employees surrendered their password in a phishing attack against the company.

Details of's customers were stolen as a result of the password being surrended, the CRM services company admitted to customers on Monday.

But, when contacted by, the company refused to say whether any UK customers had been affected, whether any financial damage had occurred, and whether any disciplinary action had been taken against any employees as a result of the security incident. It offered no other comment on the matter. first noticed a possible security breach when it saw a rise in phishing attacks directed against customers "a couple of months ago". Upon investigation, the company found that one of its employees had been "tricked" into disclosing a password, allowing a customer list to be stolen, according to Monday's letter, which was sent to customers by executive vice president of technology Parker Harris.

"We learned that a employee had been the victim of a phishing scam that allowed a customer contact list to be copied," wrote Harris. "To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database."

The information in the contact list included individuals' names, company names, email addresses, telephone numbers of customers and "related administrative data belonging to", said Harris.

Once the phishers had the contact list, they attempted to phish customers. "Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher," wrote Harris.

The domino effect continued. Not content with the security breaches already achieved, the phishers began to target customers with malware. "A few days ago a new wave of phishing attempts that included attached malware — software that secretly installs viruses or keyloggers — appeared and seemed to be targeted at a broader group of customers," wrote Harris, who added that this fresh wave of attacks was what prompted to publish the security letter. said it had been working with the group of affected customers "to enhance their security", and with law enforcement and industry experts to trace what had happened. It said it was monitoring and analysing logs to be able to alert customers who have been, or could still be, affected by the incident, and that it was "reinforcing [employee] security education, and tightening access policies within".

Harris's letter recommended that customers activate IP address restrictions so users can only access from the corporate network or VPN, educate employees about phishing, and deploy email filtering and anti-malware software. Customers should also designate a security contact to liaise with, consider using two-factor authentication, and attend a security webinar on 8 November on's website.

Mark Sunner, chief technology officer for email-filtering company MessageLabs, claimed that had "had an issue with the message filtering", and an issue with disseminating security information to employees. He recommended companies use a mixture of education and technical means to mitigate corporate data-theft phishing attacks.

"Employees have to be very sceptical about any requests for information over email, IM or telephone," said Sunner. "You have to have message filtering, but also educate people that this bad stuff is out there." Sunner added that users need to be aware that posts on social-networking sites such as Facebook could be used by phishers to harvest information.