Salesforce Trust



An Important Letter About Security


October 2007

Dear Salesforce.com Customer:


It's time to take more action to prevent phishing. For salesforce.com, that means alerting our customers to specific new threats, raising awareness around the issue, educating administrators about key steps they can take today, and continuing to define, develop, and deploy the technologies that deliver customer security and success. In this note, we'll clarify recent issues and outline what our customers can do to increase security.


Phishing and Salesforce.com


Phishing and malware are Internet scams on the rise. As salesforce.com's community approaches one million subscribers, it has become an increasingly appealing target for phishers. In fact, we have seen a rise in phishing attempts directed at salesforce.com customers.


When we first saw signs of this sudden rise, we conducted a thorough analysis. We learned that a salesforce.com employee had been the victim of a phishing scam that allowed a salesforce.com customer contact list to be copied. To be clear, a phisher tricked someone into disclosing a password, but this intrusion did not stem from a security flaw in our application or database. Information in the contact list included first and last names, company names, email addresses, telephone numbers of salesforce.com customers, and related administrative data belonging to salesforce.com. As a result of this, a small number of our customers began receiving bogus emails that looked like salesforce.com invoices, but were not—they were also phishes. Unfortunately, a very small number of our customers who were contacted had end users that revealed their passwords to the phisher. Our support and security teams have been working with the small group of affected customers to enhance their security and with law enforcement authorities and industry experts in an effort to trace what occurred and prevent further attempts.


However, another wave of phishing attempts that included attached malware—software that secretly installs viruses or key loggers—appeared and seemed to be targeted at a broader group of customers. That's why we warned our system administrators of this more malicious phish and why we are posting this letter with the goal of increasing awareness.


What We Are Doing


Customer security is the foundation of customer success, so we have been implementing and will continue to implement the best possible practices and technologies in this area. Our recent and ongoing actions include:


What We Recommend You Do


Salesforce.com is committed to setting the standards in software as a service for being an effective partner in customer security. So, in addition to our efforts, we strongly recommend that our customers implement the following changes to enhance security:


Unfortunately, phishing is a reality on the Internet these days. But with the right mix of awareness, education, and preventive technology, the consequences of phishing don't have to be part of that reality.


There is no finish line on security, so we hope that this information will foster more communication between salesforce.com and its customers on this very important matter.


We realize that you may have more questions, and our security and support teams are ready to help at any time.


Sincerely

Parker Harris,

Co-Founder, Salesforce.com