The State of Washington Department of Licensing experienced a data breach on January 24, 2022. Social Security numbers and other sensitive personal data were compromised for 650,000 individuals, including salespersons and other professionals. Some of the data may have already been distributed on the dark web. Salesforce maintains the database for the Department.
A Salesforce official said the company had no indication that their database had been compromised but declined to provide more details.
Salesforce responded that there is no evidence that the vulnerability was due to the Salesforce platform.
Others on social media have complained Salesforce powered platforms have sent their personal data to others in error, and most recently, Salesforce has shown Log4j2 vulnerability, which is a remote code execution bug that allows users to control the contents of log messages to execute whatever code they like. In January 2022, Salesforce communicated a patch had been employed against the bug.
Researchers at the Varonis cyber security company stated a misconfiguration in a Salesforce community could expose data on the internet.
In May 2019, DataBreaches.net reported that Salesforce communicated to its customers “a database script deployment that inadvertently gave users broader data access than intended.”
In 2019, malware that infiltrated Salesforce affected retailer Hanna Andersson which had data exposed, for which the retailer settled a $400,000 lawsuit, in which Salesforce shared the costs.