Protecting Salesforce Accounts from Takeovers and Ungoverned Access

If you’re reading this blog, there’s a good chance you’re familiar with Salesforce. It’s a hugely popular platform that businesses use to manage their customer data, sales activities, and other key business processes. 

With its popularity and the sensitive and commercial data that organizations store in the platform, Salesforce accounts are a prime target for cybercriminals looking to steal sensitive information. 

Why attackers target Salesforce accounts

Salesforce holds an enormous amount of sensitive information, such as personal data, financial information, and confidential business details. One of the biggest risks to Salesforce accounts is account takeover, where hackers gain unauthorized access to a user's account and steal or manipulate sensitive data. 

Yesterday, it was claimed that the hacking group ‘0ktapus’ had returned and were attacking technology and gaming companies, including Salesforce

This is not a new target. In recent years, there have been several high-profile cases of Salesforce account takeovers, including a hack at AstraZeneca, a pharmaceutical company. Hackers gained access to AstraZeneca's test Salesforce cloud environment, which was used by the company to manage its customers. Although the test environment was not connected to the company's live systems, it still contained some patient data, which the hackers were able to access. 

Attackers have become increasingly creative in how they access this data. One technique targeted misconfigurations in Salesforce communities that led to sensitive Salesforce data being exposed. Back in 2019, attackers gained access and scraped customer data from the Salesforce of Hanna Andersson, a children’s clothing store and online retailer.

Salesforce should fall under SSO, but exceptions can happen

Anyone who accesses Salesforce should do so via Single Sign-On (SSO) and Multi-Factor Authentication (MFA). There may be a few exceptions for some administrator accounts, but in general, organizations should aim to provision access via tools like Okta or Azure Active Directory.

Sometimes, however, exceptions crop up. It could be the access granted for a sales contractor, a third party building an integration, or perhaps the business does not want to “disrupt” the sales team by providing additional hoops to jump through to log in. 

Organizations need to be proactive in protecting their Salesforce accounts from account takeovers by implementing strong security measures such as two-factor authentication, regularly monitoring user activity, and providing regular security training for employees. This can help prevent unauthorized access to sensitive data and minimize the risk of data theft or manipulation.

Unfortunately, Salesforce customers must pay extra to access security, compliance and governance features offered under Salesforce Shield. Even with this, teams only get partial answers to their concerns.


Risks of ungoverned access

Discrepancies between SSO and other platforms matter because it increases the risk of ungoverned access. 

Such is the value of Salesforce data, it can be tempting for former sales employees to attempt to bring their contacts with them to a new company. If they find their Salesforce login credentials are still active, they may well login and export valuable contact information.

When employees are terminated, all their company accounts–including Salesforce–should be deprovisioned. Unfortunately, the reality is that there are often discrepancies between what is in the HR directory and identities in Salesforce.

Similarly, this can be the case when Salesforce doesn’t fall under a SSO like Okta. When employees (or contractors) leave the company, you may be wasting licenses on Salesforce accounts if the termination process doesn’t catch orphaned Salesforce accounts.


Monitor for exceptions with Oort

Oort has recently launched a new integration with Salesforce that provides extended visibility to security and IAM teams. 

For teams involved in rolling out SSO to Salesforce, Oort provides a way to ensure that users are accessing the platform in the most secure way. We will also help to identify accounts that should be under SSO but are not. 


The integration pulls in information on users and login activity and merges this with data in Okta and other identity platforms. 

Because Oort has a direct integration with Salesforce itself, you’re able to track user details and login events. This means that even if you don’t intend to put Salesforce behind SSO you can still monitor and protect user accounts. 


Creating a single pane of glass

Account takeover is a real threat to Salesforce accounts, and organizations need to be aware of the risks and take the necessary steps to protect their data and customers. 

With Oort, you can ensure your Salesforce users are protected behind SSO and monitor the activity of accounts that are not. 

With this single pane of glass into identities, security teams have the confidence that their accounts are protected and customer data is safe. 

Recent Blogs

Advanced Search Query Input Improvements

We are excited to announce several enhancements to thetrue

Duo SSO Logging Improvements 

We’re committed to enhancing the visibility of data sourced from Duo.true