Banks and healthcare providers expose private data through Salesforce Community websites

Share post:

Banks and health care providers are among the institutions exposing private and sensitive information from their public Salesforce Community websites, according to KrebsOnSecurity.

Unauthenticated individuals were allegedly able to view records that should have been available only after signing in due to a misconfiguration in Salesforce Community. Salesforce administrators may erroneously offer guest users access to internal resources, allowing unauthorized individuals to access an organization’s secret information and potentially lead to data leaks.

The disclosures were discovered by security researcher Charan Akiri, who claimed to have written a tool that detected hundreds of additional firms operating misconfigured Salesforce sites. The data exposes, according to Salesforce, are not the consequence of a vulnerability in the Salesforce platform but can occur when customers’ access control permissions are incorrectly.

Vermont was a victim because it had at least five separate Salesforce Community sites that allowed guests to access sensitive data, including a Pandemic Unemployment Assistance program that exposed the applicant’s full name, Social Security number, address, phone number, email address, and bank account number.

Vermont’s Chief Information Security Officer, Scott Carbee, stated that his security teams have been doing a thorough investigation of their Salesforce Community sites, and that they have already discovered one more Salesforce site maintained by the state that was likewise misconfigured to give visitor access to critical information.

The sources for this piece include an article in KrebsOnSecurity.

SUBSCRIBE NOW

Related articles

North Korean Job Scam Targeting IT Job Seekers

North Korea’s Lazarus advanced persistent threat (APT) group has launched a sophisticated campaign, “Operation 99,” targeting freelance software...

Hackers Exploit FastHTTP in High-Speed Microsoft 365 Attacks

Threat actors are employing the FastHTTP Go library to launch high-speed brute-force password attacks on Microsoft 365 accounts...

YouTubers Targeted As Cyberattackers Hide Infostealers in YouTube Comments, Google Search Results

Attackers have found a new way to infect people seeking pirated or cracked software: planting malicious download links...

New macOS Malware Exploits Apple’s Security Features to Stay Hidden and Steal User Data

A newly discovered variant of the Banshee macOS Stealer malware is putting 100 million Apple users at risk...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways