Naive employee gives password to customer contact details

Nov 7, 2007 18:13 GMT  ·  By

Salesforce.com, one of the leaders of the on-demand Customer Relationship Management (CRM) industry offered customers contact details to phishers due to the naivety of an employee. It appears that a Salesforce employee was the target of a phishing attempt, providing access to the company's client contact information list.

"We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied," Salesforce wrote in a message especially addressed to the clients. However, the company tries to underline the fact that the leaked information was not caused by a security glitch in its system. "To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database."

The firm confirmed that the stolen information contains "first and last names, company names, email addresses, telephone numbers of salesforce.com customers, and related administrative data belonging to salesforce.com." Moreover, some of the users included on the list provided the passwords to their accounts after being contacted by the same phishers who managed to steal the information.

Although it's not for sure if it is a result of the leaked details, a phishing campaign targeting the Salesforce customers started a few days after the incident, the attackers attempting to install malware files on victims' computers.

"However, a few days ago a new wave of phishing attempts that included attached malware-software that secretly installs viruses or key loggers-appeared and seemed to be targeted at a broader group of customers. That's why we warned our system administrators last week of this new, more malicious phish and why we are sending this letter now with the goal of increasing awareness," Salesforce's representatives continued.

Just as usual, you're advised to avoid opening untrusted emails coming into your inbox and refuse downloading the attachments included in the unknown messages reaching your account.