Think about hackers stealing millions of customer records and then demanded ransom from the company, only for the company to respond with, "Nope, not paying." That's what Salesforce did. Pretty bold, right?
Let's get into what happened and what made Salesforce choose this course of action.
The hackers did not interact with Salesforce by "hacking" into Salesforce itself: They manipulated people into providing access. They sent fake support messages and made calls to convince employees to click malicious links.
When the employees linked a fake app to their Salesforce accounts, the hackers could access and swim in all the data without having to hack in. Then the hackers used software called Salesloft Drift to steal login tokens that provided access to Salesforce data.
The tokens permitted the hackers access to the Salesforce system and allowed them to pull customer data — sneaky trick, right?
A hacker group called ShinyHunters even stated that they took 1.5 billion records from over 760 companies through this method. This is huge!
Salesforce clearly stated that it will not pay or communicate with hackers. Why? Because once you start paying then they will keep coming back. And paying does not guarantee that they actually delete the stolen data.
I mean, that makes sense, right? You wouldn't trust criminals to do what they say.
They are collaborating with law enforcement and cybersecurity specialists to neutralize the attackers rather than offer payment to regain control of the compromised credentials and customer data.
Plus, they revocated all hacked access tokens to prevent any other customer data from being exposed - smart move!
Here is what we can distil from this incident to ensure cybersecurity threats do not become incidents:
• Be careful with third-party apps. While your main systems may have ironclad security, these connected apps can leave you exposed.
• Help your team understand the threat. Hackers would much rather trick a human than a computer.
• Think ahead. Establish if you would pay a ransom and why.
• Audit your accounts and access such as third-party apps and terminate accounts that you no longer use.
Let's get into what happened and what made Salesforce choose this course of action.
What Happened After All
Hackers Used Social EngineeringThe hackers did not interact with Salesforce by "hacking" into Salesforce itself: They manipulated people into providing access. They sent fake support messages and made calls to convince employees to click malicious links.
When the employees linked a fake app to their Salesforce accounts, the hackers could access and swim in all the data without having to hack in. Then the hackers used software called Salesloft Drift to steal login tokens that provided access to Salesforce data.
The tokens permitted the hackers access to the Salesforce system and allowed them to pull customer data — sneaky trick, right?
Large Amounts of Data Stolen
The hackers say they stole about a billion data records from multiple large companies — including Google, Disney, IKEA, Cisco, and McDonald's.A hacker group called ShinyHunters even stated that they took 1.5 billion records from over 760 companies through this method. This is huge!
Why Salesforce Said “No” to Paying
They Don’t Want to Incentivize Hackers to Do This AgainSalesforce clearly stated that it will not pay or communicate with hackers. Why? Because once you start paying then they will keep coming back. And paying does not guarantee that they actually delete the stolen data.
I mean, that makes sense, right? You wouldn't trust criminals to do what they say.
They Knew Their Own Systems Were Safe
Salesforce stated that its core systems were not ever breached. The issue arose from third-party applications or tokens and did not occur in Salesforce's servers, thus the core Salesforce platform was secure - albeit some customers may still be frustrated their data was divulged anyway.They are collaborating with law enforcement and cybersecurity specialists to neutralize the attackers rather than offer payment to regain control of the compromised credentials and customer data.
Plus, they revocated all hacked access tokens to prevent any other customer data from being exposed - smart move!
Here is what we can distil from this incident to ensure cybersecurity threats do not become incidents:
• Be careful with third-party apps. While your main systems may have ironclad security, these connected apps can leave you exposed.
• Help your team understand the threat. Hackers would much rather trick a human than a computer.
• Think ahead. Establish if you would pay a ransom and why.
• Audit your accounts and access such as third-party apps and terminate accounts that you no longer use.
