Salesforce Community Sites Leak Sensitive Data Due to Misconfigurations
Salesforce Community sites, used by various organizations to manage customer interactions, have been leaking sensitive data due to misconfigurations. Vermont and Washington D.C. are among the areas affected, with hundreds of other organizations potentially at risk.
Security researcher Aaron Costello first revealed this issue in August 2021. He found that unauthenticated users could access records meant for logged-in users on misconfigured Salesforce Community sites. Vermont's Chief Information Security Officer Scott Carbee confirmed at least six misconfigured sites in the state, including five operated by the state and one by a local organization. Similarly, DC Health in Washington D.C. had five sites exposing data, including Social Security numbers.
Huntington Bank's recently acquired TCF Bank also fell victim. A misconfigured Salesforce Community website leaked commercial loan applications, including Social Security numbers and loan amounts. Security researcher Charan Akiri has identified hundreds of other organizations running misconfigured Salesforce pages, highlighting the widespread nature of this issue.
Salesforce attributes these data exposures to misconfigured access control permissions, not a vulnerability in the platform. Organizations are urged to review and secure their Salesforce Community sites to prevent unauthorized access to sensitive information.
