- A misconfiguration. Salesforce misconfiguration exposes private data across multiple sites, including government agencies, healthcare institutions and banks.
- Potential risk. Over 150,000 companies relying on Salesforce are potentially at risk due to this data exposure.
- Guest policy problem. The issue is not a vulnerability, but a misconfiguration issue that administrators make when setting up guest policies.
Gather 'round for a shocking tale of customer data security, or rather, the lack thereof! Is Salesforce, the powerhouse CRM platform you know and love, spilling your precious customer data like a fumbling waiter with a tray full of drinks? The debacle is unfolding at an alarming pace, potentially making your private data more public than a viral cat video.
Data security should be top of mind for all enterprise business leaders as the amount and types of data we hoover up continually grows. And yet the lesson of data security has reared its ugly head once again. It seems that many public Salesforce sites are now inadvertently revealing private data, and you won't believe the impact it's having. In the latest bombshell from KrebsOnSecurity, it has been revealed that a misconfiguration in the Salesforce platform is compromising private customer data across multiple sites. These organizations include government agencies, healthcare institutions and banks and in many cases exposed names addresses and social security numbers.
It seems that we're playing catch-up in this ever-evolving game of cat and mouse. With more than 150,000 companies relying on Salesforce, this vulnerability has created a potential avalanche of data exposures, putting sensitive customer information at risk.
Related Article: Examining the Current State of Consumer Data Privacy Legislation
What Went Wrong
So, how did this happen? Salesforce's public-facing sites are intended for marketing and customer relationship management (CRM) purposes. According to a statement from Salesforce, these data exposures are not the result of a vulnerability but instead are, what appears to be, a misconfiguration issue that administrators make when setting up guest policies. Krebs is on the same page, it appears, writing, “The data exposures all stem from a misconfiguration in Salesforce Community that allows an unauthenticated user to access records that should only be available after logging in.”
Salesforce has recommended in the past for administrators to ensure they are using the Guest User Access Report Package.
Anyway, seriously, it you have a Salesforce community site, don't just sit on your hands and day "we didn't have the right DevOps process" (hint it's got nothing to do with DevOps), and get a reputable company to check it out with you. Where would you find such a company...?— JodieM (@jodiem) April 28, 2023
As a result, it's likely that cybercriminals are having a field day, gathering valuable data to use for phishing attacks and identity theft and as businesses that collect customer data we are left scrambling to protect our customers and their information.
Stay tuned, as we continue to monitor this developing story.