Phishers snare Salesforce.com data

Salesforce.com is refusing to reveal details of a security breach caused when one of its employees surrendered their password in a phishing attack against the company.

Details of Salesforce.com's customers were stolen as a result of the password being surrended, the CRM services company admitted to customers this week.

Security from A to Z

Click on the links below to find out more...

A is for Antivirus
B is for Botnets
C is for CMA
D is for DDoS
E is for Extradition
F is for Federated identity
G is for Google
H is for Hackers
I is for IM
J is for Jaschan (Sven)
K is for Kids
L is for Love Bug
M is for Microsoft
N is for Neologisms
O is for Orange
P is for Passwords
Q is for Questions
R is for Rootkits
S is for Spyware
T is for Two-factor authentication
U is for USB sticks/devices
V is for Virus variants
W is for Wi-fi
X is for OS X
Y is for You
Z is for Zero-day

But, when contacted by silicon.com sister site ZDNet.co.uk, the company refused to say whether any UK customers had been affected, whether any financial damage had occurred and whether any disciplinary action had been taken against any employees as a result of the security incident. It offered no other comment on the matter.

Salesforce.com first noticed a possible security breach when it saw a rise in phishing attacks directed against customers "a couple of months ago". Upon investigation, the company found that one of its employees had been "tricked" into disclosing a password, allowing a customer list to be stolen, according to a letter that was sent to customers by executive vice president of technology Parker Harris.

Harris wrote: "We learned that a Salesforce.com employee had been the victim of a phishing scam that allowed a Salesforce.com customer contact list to be copied. To be clear, a phisher tricked someone into disclosing a password but this intrusion did not stem from a security flaw in our application or database."

The information in the contact list included individuals' names, company names, email addresses, telephone numbers of Salesforce.com customers and "related administrative data belonging to Salesforce.com", said Harris.

Once the phishers had the contact list, they attempted to phish Salesforce.com customers. Harris wrote: "Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher."

The domino effect continued. Not content with the security breaches already achieved, the phishers began to target Salesforce.com customers with malware. According to Harris: "A few days ago a new wave of phishing attempts that included attached malware - software that secretly installs viruses or keyloggers - appeared and seemed to be targeted at a broader group of customers." He added that this fresh wave of attacks was what prompted Salesforce.com to publish the security letter.

Salesforce.com said it has been working with the group of affected customers "to enhance their security", and with law enforcement and industry experts to uncover what has happened. It said it is monitoring and analysing logs to be able to alert customers who have been, or could still be, affected by the incident, and added it is "reinforcing [employee] security education, and tightening access policies within Salesforce.com".

Harris's letter recommended customers activate IP address restrictions so users can only access Salesforce.com from the corporate network or VPN, educate employees about phishing, and deploy email filtering and anti-malware software. Customers should also designate a security contact to liaise with Salesforce.com, consider using two-factor authentication, and attend a security webinar on 8 November on Salesforce.com's website.

Tom Espiner writes for ZDNet UK