Phished Salesforce.com data used for phishing attacks

Password leak leads to major CRM customer data haul.

A security breach at customer relationship management (CRM) firm Salesforce.com has led to a large-scale leak of confidential user data, which has been put to use for targeted phishing attack posing as Salesforce invoices.

VB100

Salesforce offer a software-as-service platform for CRM, covering sales and marketing information management online. The leak apparently occurred when a Salesforce employee handed over login credentials after being tricked by a phish. With employee access to company databases, the phishers harvested data including email addresses and other contact details, which were then used for further targeted phishing. There has also been some evidence of the addresses being spammed with malware attacks, possibly enabling further data gathering.

Salesforce has issued an email to over a million users, warning of the risk of phishing and suggesting a series of security steps to minimise the risk of fraud. The statement is here.

09 November 2007

Tags: data leak, phishing, social engineering, spam.   

 del.icio.us  digg this! digg this

Quick Links

Poll
Does your company allow you to use a personal laptop/mobile device to access company resources?
Yes, it's allowed
Yes, it's actively encouraged
No
I don't know
Leave a comment
View 2 comments

EC-council-boston

VB100 certification
VB100 As expected, the annual VB100 test on Windows XP was an epic. A higher than usual pass rate was tempered by numerous stability issues with the products under test, prompting the unveiling of a new stability rating system. John Hawes has all the details.
See full results.

Virus Bulletin currently has 225,281 registered users.