Print this page

Security Alert: Dyre Malware

Knowledge Article Number 000199724

Update 9/11/14
Currently, we have seen a very small number of customers that have been impacted by this. We are reaching out to those customers with next steps and further guidance. We continue to monitor the situation and will reach out to impacted customers directly.
Original Article 9/5/14
On September 3, 2014, one of our security partners identified that the Dyre malware (also known as Dyreza), which typically targets customers of large, well-known financial institutions, may now also target some Salesforce users. We currently have no evidence that any of our customers have been impacted by this, and we are continuing our investigation. If we determine that a customer has been impacted by this malware, we will reach out to them with next steps and further guidance.

This is not a vulnerability within Salesforce. It is malware that resides on infected computer systems and is designed to steal user log-in credentials and resides on infected customer systems. If you’d like to learn more about malware, please visit

As a first step, we recommend you work with your IT security team to validate that your anti-malware solution is capable of detecting the Dyre malware. If you believe you have been impacted by this malware and would like assistance from, please open a security support case at, selecting security as the product topic, and our team will work with you to investigate this issue. is dedicated to helping our customers strengthen security in their own environments. In addition to following device security best practices, we recommend you leverage the following security capabilities of the Salesforce Platform:

  • Activate IP Range Restrictions to allow users to access only from your corporate network or VPN
  • Use SMS Identity Confirmation to add an extra layer of login protection when salesforce credentials are used from an unknown source
  • Implement Salesforce#, which provides an additional layer of security with 2-step verification. The app is available via the iTunes App Store or via Google Play for Android devices.
  • Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.
Please visit for the latest security information and best practices.

You can find more information about Dyre malware at


promote demote