Salesforce authentication details compromised by malware

Immediate remediation steps if you suspect you have been impacted by malware:

• Scan all end user systems with up-to-date antivirus signatures that can detect these malware variants.

• Notify your IT security team or department about the potential compromised users and validate that the users’ systems are clean of malware.

• Change the passwords for the infected user accounts identified and suggest changing credentials for all websites. Remember that an infected system will likely collect credentials for websites the user accesses from that specific system, not just Salesforce accounts. Further information on how to do this can be found in Reset password for Users with both Portal and Community Access.

• Revoke any existing OAUTH tokens for the user account identified. Further information on how to do this can be found in the Revoking OAuth Tokens article.

• Download and review Salesforce Org login histories of infected users. Further information on how to do this can be found here in the Monitor Login History​ article.

If you detect suspicious activity, please open a security support case at https://help.salesforce.com (Product topic = Security) and our team will work with you to investigate this issue.

Additional Remediation Recommendations

As always, users should exercise caution if prompted to click on a link or install third-party software included in unsolicited emails, especially if the message claims to be from a financial institution or an organization requesting their login credentials.

In addition to following device security best practices, we recommend you leverage the following security capabilities of the Salesforce Platform:

• Activate IP Range Restrictions to allow users to access Salesforce only from your corporate network or VPN. Further information can be found in the Restrict Login IP Addresses article.
• Use SMS Identity Confirmation to add an extra layer of login protection when Salesforce credentials are used from an unknown source. Further information can be found in the SMS method of Identity Confirmation article.
• Implement Salesforce Authenticator, which provides an additional layer of security with two-step verification. The app is available via the iTunes App Store or via Google Play for Android devices. Further information can be found in the Two-Factor Authentication article.
• Leverage SAML authentication capabilities to require that all authentication attempts be sourced from your network.
• Enable IP restrictions for your Org. Further information can be found in the Site.com IP Restrictions Overview article.

At Salesforce, trusted customer success is our #1 value, and delivering the highest standard in security is our top priority. In the event that our monitoring detects suspicious activity, our Incident Response team will notify the security contact on record. Please maintain your security contact to ensure timely and correct notices.  More information on maintaining this contact can be found in Help and Training.

Finally, it is essential to have a comprehensive security strategy for endpoint computers to prevent, detect, and respond to infections.

Additional Reading:
http://www.onguardonline.gov/articles/0011-malware

http://www.google.com/safetycenter/everyone/start/