This week, Krebs Security posted how sensitive customer data was exposed on several Community sites. This included a Bank and even a Washington DC Health Community. Ouch!
How did this happen?
One can only guess. But, it was likely due to ignorance on the part of the people setting up the Community. Salesforce security is multi-layered and can be used to tightly secure data.
But, it can also be configured incorrectly. This is especially true when it comes to public facing websites such as Salesforce Communities. Or, Experience sites as they are now called.
You see, Experience/Community sites use a thing called the Guest User. This allows unauthenticated users access to the site. This is necessary when you have a public site. Think customer websites or government sites used to assist veterans, the elderly or the unemployed.
How about in disasters like epidemics or hurricanes? These kinds of sites need to be built fast and they need to allow access to the a lot of people. There are also a limited number of people with Salesforce experience. Unfortunately, that is a recipe for another type of disaster.
If you have been asked to setup a Salesforce Experience site, first take the time to review official Salesforce docs on how to do this. This doc is a good start. There is also a great website about Learning Salesforce Experience Cloud.
But, if you are working with Salesforce on a regular basis and you are a Salesforce Developer or Architect, you need to take it a step further. As I said in the beginning, Salesforce security is multi-layered and complex. It also covers a lot more than just access to Experience Sites. In other words, there is a lot to understand.
You might want to check out some of these resources:
- Trailhead on Data Security
- Series on Pluralsight about Salesforce Security
- Series I wrote about Salesforce Security and preparing for the Salesforce Certified Sharing and Visibility Exam
One thought on “Beware: Sensitive Salesforce Data Exposed on Experience Sites”
Thanks for sharing this Sara! Really helpful.