Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

For people not familiar with salesforce, what does this mean?


For a time, users on many instances were able to read/modify data that they shouldn't have been. They got full CRUD access to -all data-. This includes some external users of things like Customer and Partner portals (where functionality and data are made available to external users via Salesforce). When they decided to try to mitigate the issue, they locked down all access and took away CRUD permissions from all users/profiles in Salesforce on those affected instances.

We woke up to a bunch of users unable to do their jobs because they suddenly started receiving "NO ACCESS" errors, effectively. We also haven't been able to modify the profiles and fix the access effectively.


When I saw this headline, my first reaction was that a salesperson in an org could download all customer contact info and immediately go to a competitor and start poaching customers extremely efficiently. How likely is this scenario? What sorts of recourse, legal or otherwise, would the org have? Non-competes are hard to enforce, and I don't know enough about trade secret laws to have a good opinion on this.


The way most companies operate, most of their Sales people could do this on any given day anyway. Salesforce can track those activities though.

This issue did not open access to other companies’ data. Just all the data in their own Org.


If I understand it correctly, it's much worse: A customer of Company A could download all internal data of Company A (e.g. all customer info) if Company A is using a Salesforce based support ticket system and the customer had an account in there.

So if a sales person at Company B happens to be a Customer at Company A...


> How likely is this scenario?

It's difficult to say. Exporting data in bulk isn't totally straightforward for your average user, and I'm not sure how long total CRUD access was granted. That being said, given that full access was granted, it's not impossible to imagine someone creating a report and doing a dump of customer data.

Though typically that may fall under NDA and not non-compete. NDAs are a little easier to enforce as far as I understand, but I'm not a lawyer.


It's sort of like if you walked by a bank and saw a bundle of money unattended in the lobby rather than the vault. Technically maybe you could get outside with the bundle, but keeping out of trouble long enough to enjoy the big screen TV you try to buy? ... Don't bet in it.


Nah, it’s more akin to an employ coming in one day and seeing that the vault door is just open, and thinking they might poke around a bit / pocket some bundles of cash... Except they usually handle most of those bundles of cash day to day anyway.


This is absolutely disastrous for healthcare companies.


As someone with a big healthcare client on Salesforce, you're not wrong. This was a massive issue for Salesforce Healthcloud users.


Only of they used or had used in the past Pardot...


Wonder how many lives you could attribute to being lost because of this bug.


When computer networks go down, hospitals switch to good old pen and paper.

It'll be 0 - its more about the possible breach of PHI/HIPAA violations




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: