Print this page

Malware Captured User Credentials

Knowledge Article Number 000204476
Malware, short for "malicious software," includes viruses and spyware that can steal personal information including login credentials, send spam, and commit fraud. There are several types of malware that have the capability to capture credentials used to log in to web enabled products.

When a user's system becomes infected with malware, the malware can take a variety of actions, including but not limited to:
  • Capturing usernames and passwords when the user logs into websites or other applications.
  • Taking actions on behalf of the logged-in user, such as initiating financial transactions.
  • Capturing all other actions performed by the user on their system.
Malware impacting a user’s system is not a vulnerability or a breach of Salesforce. However, Salesforce credentials may be compromised if a user logs in to a Salesforce Org from a computer that was infected with malware.

Immediate remediation steps if you suspect you have been impacted by malware:

  • Scan all end user systems with up-to-date antivirus signatures that can detect these malware variants.

  • Notify your IT security team or department about the potential compromised users and validate that the users’ systems are clean of malware.

  • Change the passwords for the infected user accounts identified and suggest changing credentials for all websites. Remember that an infected system will likely collect credentials for websites the user accesses from that specific system, not just Salesforce accounts. Further information on how to do this can be found in the Resetting Customer Portal User Passwords article.

  • Revoke any existing OAUTH tokens for the user account identified. Further information on how to do this can be found in the Revoking OAuth Tokens article.

  • Download and review Salesforce Org login histories of infected users. Further information on how to do this can be found here in the Monitor Login History​ article.


If you detect suspicious activity, please open a security support case at (Product topic = Security) and our team will work with you to investigate this issue.


Additional Remediation Recommendations

As always, users should exercise caution if prompted to click on a link or install third-party software included in unsolicited emails, especially if the message claims to be from a financial institution or an organization requesting their login credentials.

In addition to following device security best practices, we recommend you leverage the following security capabilities of the Salesforce Platform:

  • Activate IP Range Restrictions to allow users to access Salesforce only from your corporate network or VPN. Further information can be found in the Restrict Login IP Addresses article.
  • Use SMS Identity Confirmation to add an extra layer of login protection when Salesforce credentials are used from an unknown source. Further information can be found in the SMS method of Identity Confirmation article.
  • Implement Salesforce Authenticator, which provides an additional layer of security with two-step verification. The app is available via the iTunes App Store or via Google Play for Android devices. Further information can be found in the About Salesforce Two-Factor Authentication article.
  • Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.
  • Enable IP restrictions for your Org. Further information can be found in the Site.comIP Restrictions Overview article.

At Salesforce, trusted customer success is our #1 value, and delivering the highest standard in security is our top priority. In the event that our monitoring detects suspicious activity, our Incident Response team will notify the security contact on record. Please maintain your security contact to ensure timely and correct notices.  More information on maintaining this contact can be found in Help and Training.


Finally, it is essential to have a comprehensive security strategy for endpoint computers to prevent, detect, and respond to infections.


Additional Reading:

promote demote