Employee Hands Customer List to Phisher

Customers on a leaked contact list have been receiving more dangerous bogus e-mails, culminating in payloads that install viruses or key loggers.

Customers on a leaked contact list have been receiving bogus e-mails that have progressively become more dangerous, culminating in the past few days in a new wave of phishing attempts that have included payloads that install viruses or key loggers, the company said in a Nov. 6 letter to customers.

The contact list was leaked, it turns out, by a employee who fell for a phishing scam him or herself, and revealed his or her own password that then led to a customer contact list being copied, said Parker Harris, executive vice president of technology in the letter.

Salesforce discovered the breach through an investigation initiated when it recognized a rise in phishing attempts directed at customers over the past few months—a rise that has coincided with the CRM (customer relationship management) SAAS (software as a service) vendor's growing customer base, Harris said. At this point, the community is nearing 1 million subscribers.

The contact list contained first and last names, company names, e-mail addresses, telephone numbers of customers, and related administrative data belonging to

The slipup was not due to exploit of a vulnerability in the Salesforce application or database, Harris emphasized.

After the contacts were leaked, what Salesforce called a "small number" of customers began to receive the bogus e-mail, which looked like invoices but were in actuality attempts to phish for more information.

Harris said that users at a "very small number" of customers that received the phishing e-mail revealed passwords to the phisher.


The phishing attempts have gotten worse in the past few days, with a new wave of e-mails with attached malware, including viruses or key loggers. This new onslaught is apparently targeted at a broader group of customers, Harris said. This is the reason why the company warned its system administrators last week and why it is now publicly warning customers.

Salesforce has not released a timeline for the escalation of these phishing attempts nor mentioned how much of a lag there was between the time it discovered its own employee's blunder and the public confession and warning. A spokesperson for Salesforce told eWEEK that the company is not commenting beyond Harris' letter.

A volunteer for—a volunteer-run site that keeps a running list of data breaches—told eWEEK that targeted phishing attacks and targeted spam has spiked in the past few months, so the breach doesn't come as a shock.

What's more, Salesforce's lost data being limited to names, e-mail addresses and the like, as opposed to financial information, shouldn't be used as cause to treat this lightly, he said, particularly given the convincing nature of targeted phishing attacks, said the volunteer, who goes by the name "Lyger."

"The real twist to targeted attacks is that they have a chance of being more successful than a 'spray and pray' phishing scheme because the 'victim' may be more likely to treat the 'attacker' as a trusted source, and from there can be leveraged to obtain a victim's financial information, which apparently did happen to a limited degree in the breach," Lyger said.

And as history tells us, data breaches often unfurl such that more sensitive information turns out to have been potentially at risk, as happened in the TD Ameritrade case, Lyger noted. In that data breach incident, it turned out that Social Security numbers and account information were stored on the same database as the client data that was stolen, although that sensitive information was apparently not accessed, according to the brokerage.


Handling goofs cause many data leaks. Click here to read more.

Harris said that Salesforce is actively monitoring and analyzing logs to enable proactive alerts to customers who have been affected. The company is also working with security vendors and experts on specific threats and working to take down fraudulent sites as quickly as possible—"often within an hour of detection," Harris said.

In addition, Salesforce is reinforcing security education and tightening access policies in its own ranks, while evaluating and developing new technologies both for its customers and for deployment within its own infrastructure.

Salesforce is advising customers to activate IP range restrictions that will allow users to access Salesforce only from within customers' own corporate network or VPN, thus providing a second factor of authentication. Salesforce is also teaching employees not to open suspect e-mails and to deploy spam filtering and malware protection, as well as designate a security contact so that Salesforce can more effectively communicate with customers. Finally, the company is asking customers to consider using other two-factor authentication techniques including RSA tokens.

Salesforce will hold a Webinar on Nov. 8 to walk customers through the changes. Details will be available on the company's security page.

The company is now working with affected customers to ramp up their security and with law enforcement and industry experts to trace what happened and prevent further successful scams.

Check out's Security Center for the latest security news, reviews and analysis. And for insights on security coverage around the Web, take a look at eWEEK's Security Watch blog.