Security News

Salesforce's Einstein Copilot can provide insights and perform tasks help streamline daily processes. However, it also comes with risks that you should takes steps to mitigate. Learn more from...

At Salesforce, Trust is our #1 value, and we build security into everything we do - across the business and our entire ecosystem - so that our customers and partners can focus on growth. Diving deeper, Salesforce has a world-class security team with security tools and systems to prevent, detect, and respond to any security threat.

Assurances include watermarking, reporting about capabilities and risks, investing in safeguards to prevent bias and more. Some of the largest generative AI companies operating in the U.S. plan to watermark their content, a fact sheet from the White House revealed on Friday, July 21.

Salesforce announced a rebrand of its Einstein 1 Data Cloud and new capabilities for the Einstein generative AI assistant for CRM at the Dreamforce conference held in San Francisco on Tuesday, Sept. 12. Salesforce's Einstein 1 Data Cloud metadata framework will be integrated within the Einstein 1 Platform.

The Guardio research team discovered an email phishing campaign exploiting a zero-day vulnerability in Salesforce's legitimate email services and SMTP servers. The vulnerability allowed threat actors to craft targeted phishing emails, evading conventional detection methods by leveraging Salesforce's domain and reputation and exploiting legacy quirks in Facebook's web games platform.

Hackers exploited a zero-day vulnerability in Salesforce's email services and SMTP servers to launch a sophisticated phishing campaign targeting valuable Facebook accounts.The attackers chained a flaw dubbed "PhishForce," to bypass Salesforce's sender verification safeguards and quirks in Facebook's web games platform to mass-send phishing emails.

A sophisticated Facebook phishing campaign has been observed exploiting a zero-day flaw in Salesforce's email services, allowing threat actors to craft targeted phishing messages using the company's domain and infrastructure. What makes the attack notable is that the phishing kit is hosted as a game under the Facebook apps platform using the domain apps.

Improperly deactivated and abandoned Salesforce Sites and Communities could pose severe risks to organizations, leading to unauthorized access to sensitive data. "Because these unused sites are not maintained, they aren't tested against vulnerabilities, and Admins fail to update the site's security measures according to newer guidelines."

Salesforce has become a defendant in a case brought by the Republican National Committee that seeks to prevent release of information revealing communications within the Republican Party related to the storming of the US Capitol building on January 6, 2021. Salesforce has become embroiled in the case because the Select Committee investigating the events of the day learned that the RNC and the Trump for President campaign used Salesforce for campaign communications and some internal communication.

This change has profound implications: customers unable to implement MFA across their access by the set date can continue to use Salesforce without MFA at their own risk. Thales statistics suggest that 90 per cent of cyberattacks utilise compromised credentials in some way, which if correct implies that failing to implement MFA on Salesforce is potentially shifting responsibility for almost all cyberattacks involving the service.