Friday, November 9

Salesforce.com confirms security breach

Mark Hrywna at the Nonprofit Times has another alarming story:

Salesforce.com is the second software vendor to nonprofits this week to announce a data breach. The firm alerted its clients of phishing attempts and the security breach. The most recent phishing attempts included malware, software that secretly installs viruses or key loggers.

Salesforce.com sent security alerts to customers regarding two recent phishing emails: one titled “FTC” on Oct. 29 and the other “We want to make a order with…” on Nov. 6. The San Francisco-based company refused comment, except for a letter to clients that indicated “a rise in phishing attempts directed at salesforce.com customers over the past few months. The firm has more than 30,000 clients, fewer than 10 percent of which are nonprofits. The firm offers small organizations licenses for up to 10 users at no cost.
I'm not really good with math, but "fewer than 10 percent" still means that there could be up to 3,000 nonprofits out there trying to figure out the impact of the breach, right?

1 comment:

abenamer said...

The Nonprofit Times article is quite misleading. I think the writer confused the issue. Basically, a salesforce.com database was penetrated but all the hacker got away with were names, addresses and an e-mail address and other administrative data. Unlike Convio, no passwords were downloaded. However, even that information is dangerous in the hands of the bad guys. That information were repackaged to look like official correspondence from salesforce.com that essentially asked for the passwords and sent to other salesforce.com customers. It's a breach but it's one that was mitigated by slightly better security practices. And arguably, phishing attempts are the most difficult to stop.

Unfortunately, this attack got reported as somehow pertaining to the nonprofit sector but there's no actual record so far of that happening. I think, at least for our sector, this salesforce.com "security breach" is a non-story.