Security isn’t sexy, and it isn’t something that many of us enjoy sitting down and listening to seminars or PowerPoint presentations about. After all, you might think: how much is there to really understand outside of basic common sense? Don’t use the same password twice, don’t give sensitive data to a group of hackers, and don’t play with permissions that you’re not supposed to play with.
While all of this might be true, the latest Salesforce data breaches – the continuation of the Data Loader breach that had plagued businesses just two months ago – have served all of us with a stark reminder. The reminder that many orgs aren’t as secure as they should be, teams aren’t as trained up as they should be, and ultimately, human error continues to be the fatal force behind the succession of breaches just like these.
What Are These Salesforce Breaches?
In June, we reported that hackers had stolen large amounts of data by tricking employees at companies into installing a modified version of Salesforce Data Loader – a tool used for importing, exporting, and bulk managing Salesforce data.
Two groups of hackers – now publicly known as ShinyHunters (aka UNC6240) and Scattered Spider – have been suggested to have been using voice phishing (Vishing) to get a variety of Salesforce customers to download the malicious app. Essentially, Salesforce users were being socially engineered into downloading a fake Data Loader app, which then gave the hackers access to their org to then claim sensitive data.
The attacks have been described as both extremely coordinated and calculated, with companies like Chanel, Qantas, Adidas, Victoria’s Secret, and now Google being impacted.
Tom Morgan also reported that although there is no current confirmation, the two parties share a cybercriminal network known as “The Com”, where an elite network of these hackers shares resources, tools, and tactics.
Not only that, but a spokesperson from ShinyHunters has recently come out and said that this is very much not over, and that the group already has future plans.
“If trillionaires like Google can’t stop us, then billionaires are nothing,” they said. “Next time it’s going to be much, much worse.”
Could These Have Been Prevented?
If ShinyHunters do have bigger plans on their agenda, then it shouldn’t necessarily strike fear into the heart of every Salesforce business, but it should make them think. A timer has started counting down, and the promise of another attack has been plastered on an Internet billboard – preventive action is now a number one priority.
Now, realistically, you can’t prepare for every attack, and you can’t prevent any attack either. Robert S. Mueller III, former Director of the FBI, famously said: “There are only two types of companies: those who have been hacked, and those who will be hacked”, and his statement holds merit even now. No company’s security is foolproof, and if someone is determined enough, they will get through.
However, could these Salesforce breaches have been prevented? The answer could very well be yes.
“Could it have been prevented? Probably,” said a commenter on a recent Reddit thread discussing the breaches. “From what’s been shared, the root problem is weak access controls around connected apps and too much trust in OAuth scopes.”
Although every Salesforce company should be meticulously reviewing its connected apps right now, that is only one part of the puzzle. The other part? Good, old-fashioned human error.
Why Disconnected Teams Are Dangerous
When I sat down with Matt Meyers, the Founder and CEO of EzProtect, I just wanted the answer to two questions: could this have been prevented, and if so, how?
“I believe all of these could have been avoided if customers had configured their Salesforce environments with better security,” he told me.
“What I’m preaching to people on the secure profile side is, for example, if you have IP security enabled, then you enable IP security not only on login but every single request that then covers beyond the connected app. So even if they had that Data Loader or connected app in there and they were checking the IP security, then unless they were able to spoof their IP address, there’s no way that they would have been able to connect to get their data.
“Even if they put the code in to get authenticated, because the connected app still wouldn’t be able to hit the APIs without the IP.”
This seems easy enough to sort, but this isn’t the complicated part – the complicated part is getting your teams to see eye-to-eye and share knowledge, but as Matt has experienced, there is currently a gaping disconnect between certain Salesforce teams.
“Security teams know a lot about security and the security frameworks, but they know nothing about Salesforce,” he said. “Then you have the Salesforce teams on the other side that are extremely knowledgeable about Salesforce, but if you ask them about any common security frameworks or the training on phishing attacks, they’re not very knowledgeable at all.”
He also highlighted that although this particular disconnect between security teams and Salesforce teams was worrying, a bigger problem lay with executive teams, who are constantly told that Salesforce is a trusted platform and not to worry about it.
Ultimately, multiple, disconnected players across the vertical have opened up a big gap, and unless this gets patched up, teams will be stuck pointing flailing fingers at each other, while hackers sneak in without so much as a fight.
“Are teams prepared for these breaches? I say no. Your weakest link is humans – 88% of breaches are caused by human error.”
Could Outsourcing Be Involved in This?
Disconnected teams that operate within a singular, self-contained company are dangerous enough, but when you have a team that also consists of offshored or outsourced team members, then the risk only goes up.
Chris Emmett, a Solution Architect at Capgemini, explained that this dynamic could very well have played a part in a number of the attacks.
“There are a lot of people that – for better or for worse – have joined the industry with Salesforce’s push,” he told me. “People who didn’t necessarily have an IT background.
“Now, Salesforce is a relatively immature technology, so on one side, you have the immaturity of the people and the platform coming in that don’t necessarily have the rigorous security knowledge, and then you’ve also got these outsourced companies [and people] who are strong-armed into doing stuff they really shouldn’t.”
Although offshoring and outsourcing are two largely positive practices for many businesses, one of the biggest drawbacks of both is data security and compliance issues. Making sure the offshore team follows strict security measures and meets any legal standards relevant to your business can be much trickier overseas, especially if the teams are not fluent in English or the company’s main operating language.
There is also the possibility that teams like this are not trained in the same way or with the same security material as onshore teams are, meaning that in a case where a person calls claiming to be Salesforce or someone else important, they are not as well-informed to make the right decision.
“If someone’s screaming down the phone saying ‘you must give me this information or you’re fired’, it’s okay to say no,” Chris said. “These outsourced teams need to be given that instruction and that confidence to say no.”
Exposing a Salesforce Blind Spot
Out of all of the discussions being had over these breaches, one of the most pertinent ones centers around whether there is a bigger issue in Salesforce’s actual security system – a blind spot that has been noticed but ignored for some time.
One commentator on Reddit shared their thoughts on this, saying that they believed these attacks emphasised a blind spot that had been there for “way too long”.
Another commenter agreed, saying: “The number of orgs I have seen with wide open security holes and bad data handling practices is actually astonishing. I have pointed these out to clients, and they don’t care. They see the resources to spend on fixing the issues as thrown away money.”
On a separate thread, others questioned whether both professionals and the security framework had already passed the point of no return, with one commenter asking: “Who in their right mind would install an app in their production environment on the back of a voice call from unknown caller(s)?”
“Not to minimize this, but if they’re talking people into downloading stuff onto their PC and changing things in Setup, it seems like the security ship is already well over the horizon,” another said.
Interestingly, Chris admitted that it actually is “very easy” to get tricked into a scam such as this one, especially if the hacker can make their case convincing enough. Combine that with disconnected teams that aren’t informed enough across all bases, and team members who are afraid of strict deadlines and not messing up, and you have a recipe for calculated disaster.
How to Advocate for Change
Whether your company has been impacted by these particular breaches or you got away untargeted or unscathed, the risk is still present. We first said this after the first round of breaches had been addressed, and we will say it again now: if you’re not using this time to find every way to keep your org as secure as possible, you could very well be next.
If you’re a company using Salesforce – especially in customer support or loyalty programs – now is the time to audit your access logs, tighten up permissions, monitor for abnormal data downloads, and enforce tighter API access controls.
Salesforce’s current status encourages customers to review its blog post on key platform features and best practices, and if this isn’t enough, Tom Bassett’s detailed guide on reviewing your connected apps is a good place to turn your attention to.
Start From the Middle or Bottom – Not at the Top
Within companies, Matt insisted that the right change will not come from the top at the C-Suite level – rather from the teams below.
“It can’t start from the top – they won’t listen, unfortunately,” he said. “I think it needs to start from the middle or the bottom, and then they start to raise that awareness, and then the executives will start to listen in that way; that’s when the change will happen.
“Get the security teams involved in the Salesforce projects. Bring them in sooner and then share that knowledge so you know that the security teams actually understand how to do better security awareness checks on the orgs using Salesforce terminology.”
When it comes to further training, both Matt and Chris agreed that the change should come from Salesforce, but it likely won’t – leaving the responsibility on the community’s shoulders.
“The reason I started Office Hours [a series dedicated to security practices], is because I don’t think there’s enough security guidance from Salesforce,” Matt said. “They should [do more] but they won’t – so I think it’s up to the community to take on that role and provide more resources for people.”
“[Salesforce] is not interested in making their tool more difficult to use,” Chris said, explaining that better-controlled security measures, extra steps, and extra guardrails will likely put a lot of C-suite decision-makers off.
In my opinion, if Salesforce is happy to leave the knowledge sharing and creation and solidification of best practices to the community, then the least it can do is verify some of the most notable. Because it’s one thing perusing LinkedIn and finding someone who has shared that knowledge there – it’s another thing for that knowledge to have Salesforce’s seal of approval.
Final Thoughts
These data breaches have impacted some of Salesforce’s largest customers, and if the words of the hacker groups are anything to go by, it’s clear that an end is not yet in sight.
Security isn’t sexy, but right now it’s more important than ever, and companies have an obligation to not only ensure their orgs are as airtight as they can be, but that their teams are connected, well-trained, and confident in saying no.
Have you been affected by the Salesforce data breaches? Reach out to us anonymously (or not) at tips@salesforceben.com.
