46 with
Servers running software sold by Salesforce are leaking sensitive data managed by government agencies, banks, and other organizations, according to a post published Friday by KrebsOnSecurity.
At least five separate sites run by the state of Vermont permitted access to sensitive data to anyone, Brian Krebs reported. The state’s Pandemic Unemployment Assistance program was among those affected. It exposed applicants’ full names, Social Security numbers, addresses, phone numbers, email addresses, and bank account numbers. Like the other organizations providing public access to private data, Vermont used Salesforce Community, a cloud-based software product designed to make it easy for organizations to quickly create websites.
Another affected Salesforce customer was Columbus, Ohio-based Huntington Bank. It recently acquired TCF Bank, which used Salesforce Community to process commercial loans. Data fields exposed included names, addresses, Social Security numbers, titles, federal IDs, IP addresses, average monthly payrolls, and loan amounts.
Both the state of Vermont and Huntington Bank learned of the leaks when Krebs contacted them for comment. In both cases, the customers quickly removed public access to the sensitive information.
Salesforce Community websites can be configured to require authentication so that a limited number of authorized people can access sensitive data and internal resources. The sites can also be set up to allow non-authenticated access to anyone for viewing public information. Administrators sometimes inadvertently allow unauthenticated visitors to access website sections intended to be available only to authorized
Read more