Never Secure: Private Data Leaked from Public Salesforce Websites

A surprising number of companies, such as banks and healthcare providers, expose confidential and sensitive data through their public Salesforce Community websites due to a configuration error that permits unauthenticated users to access records meant to be accessible only after logging in, according to KrebsOnSecurity. 

What is the Salesforce Community?

Salesforce Community is a cloud-based software that allows companies to create websites quickly. There are two ways to access a Salesforce Community website: 

• Authenticated access that requires login and guest user access that requires no login.
• Guest access lets unauthenticated users view particular content and resources without logging in. 

However, Salesforce administrators may unintentionally give guest users access to internal resources, leading to unauthorized users accessing an organization’s private data, potentially resulting in data breaches.

It is not the first time that data has been leaked on Salesforce. To mitigate risks and ensure proper data management, businesses can utilize Salesforce export to Excel for secure offline backups and controlled data analysis.

Salesforce warns customers of data leak caused by API error #Salesforce # dataleak https://t.co/ZWCOmxNzY7

— Cyber Intelligence House (@cyberintelhouse) August 8, 2018

Salesforce to Salesforce is terrible and should be avoided. Some people thought it was good as partners connecting and it was data leak/privacy violation nightmare

— Scott Luikart🌈🔻 (@sluikartinfo) March 19, 2021

Salesforce outage hits after data leak https://t.co/QP3BK5zN7X

— Andrew Souter (@souterandrew) May 20, 2019

Cases reported recently

• KrebsOnSecurity recently informed Huntington Bank, based in Columbus, Ohio, that TCF Bank, which it had recently acquired, had a Salesforce Community website that was leaking documents related to commercial loans, including confidential information.

What did they do: Huntington Bank has now disabled the TCF Bank Salesforce website that had a configuration error. Matthew Jennings, deputy chief information security officer at Huntington, said, “They are still investigating how the misconfiguration happened, how long it continued, and how many records were potentially exposed.”

Charan Akiri, a security researcher, identified hundreds of other organizations with misconfigured Salesforce pages but has had difficulty receiving responses from most organizations.

• Earlier this year, Washington, D.C., health administrators experienced a data breach at the health insurance exchange DC Health Link that exposed the personal information of over 56,000 users, including several members of Congress. The cause of the breach was a misconfiguration of the DC Health Link server that allowed access to the reports without proper authentication. 

According to an investigation: “The data from the breach was later sold on a top cybercrime forum. Salesforce has stated that the data exposures are not due to a vulnerability in the Salesforce platform but result from misconfigured access control permissions by the customers.”

Important links to visit Salesforce guidelines:

• Guest User Access Report Package 
• Salesforce advisory from Sept. 2022. 
• Help article, Best Practices and Considerations When Configuring the Guest User Profile.

Concluding thoughts

The incidents that happened prove that private information is urgently needed to be secured without doubt. Relying on any company for your sensitive information protection is not enough, and you need to be vigilant and reinforce the measure of personal security at each level. Remember, it is your right to be safe and secure, even digitally!