Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

Salesforce Misconfiguration Causes Sensitive Data Leaks

1 min read
Last updated June 27, 2023

Brian Krebs recently reported that an alarming number of organizations—including banks and healthcare providers—are leaking sensitive information due to a misconfiguration in Salesforce Communities.

The misconfiguration, which Varonis Threat Labs documented extensively in October 2021, gives unauthenticated guest users access to records containing social security numbers and bank account info.

Discover your weak points and strengthen your resilience: Run a Free Ransomware Readiness Test

What actions should you take?

Follow our step-by-step guide that gives Salesforce admins detailed steps to:

  • Ensure your guest profile permissions don’t expose things you don’t want to be exposed (account records, employee calendars, etc.)
  • Disable API access for your guest profile
  • Set the default owner for records created by guest users
  • Enable secure guest user access

If you want hands-on help, please ask our team to perform an automatic (and free) audit of your Salesforce instances to uncover this issue and many others. 

How did this happen?

The issue is not due to a vulnerability in Salesforce’s app, but a configuration within each customer’s control.

Salesforce, like many other cloud service providers (CSPs), operates under the shared responsibility model. While the CSP is responsible for securing the underlying infrastructure and code, each customer is responsible for configuring their applications and data to ensure they are secure, monitoring user access, and maintaining compliance with regulations.

Misconfigurations providing pathways to critical data are not unique to Salesforce. Gartner notes that "through 2025, more than 99% of cloud breaches will have a root cause of preventable misconfigurations or mistakes by end users."

This isn’t the first, nor the last time a SaaS configuration will create a potential security incident. In the Great SaaS Data Exposure, our research team uncovered the massive complexity of SaaS permissions and configurations.

Ensuring SaaS security posture

It’s imperative that security teams assess SaaS exposure continuously with automation. Varonis can help secure your critical SaaS apps like Salesforce, Microsoft 365, Google, GitHub, and countless others:

  • Discover and classify sensitive data
  • Detect and respond to abnormal behavior
  • Auto-remediate excessive permissions and sharing links
  • Find and fix critical misconfigurations
  • Mitigate third-party app and supply chain risk

Varonis also makes it easy for Salesforce admins to analyze and compare permissions, so they can quickly identify unnecessary and risky access.


We can even automatically identify and remove unassigned Profiles and Permission Sets, getting you to a least privilege model without interrupting users.


What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
The Biggest Security Risks to Your Salesforce Org
Discover how Salesforce professionals and security teams can combat the most concerning risks in their environments.
How to Deal With Sensitive Data in Salesforce: A Guide to Data Classification
Salesforce Ben and the Varonis team up to discuss Salesforce data classification best practices.
Salesforce Misconfiguration Causes Sensitive Data Leaks
Brian Krebs recently reported that an alarming number of organizations—including banks and healthcare providers—are leaking sensitive information due to a misconfiguration in Salesforce Communities.
Your Sales Data Is Mission-Critical: Are You Protecting It?
If you’re like many executives, you might assume your data is secure within those cloud applications. That’s a dangerous assumption, though. Cloud providers are responsible for everything that delivers their application (e.g., their data center); it’s your responsibility to protect the data inside it.