VolunteerMatch’s Salesforce Account Breached By Malware
December 15, 2015 NPT Staff
Malware on a VolunteerMatch computer has led to the unauthorized access of contact information within the organization’s Salesforce account. Compromised information includes email addresses, business addresses and telephone numbers within VolunteerMatch’s business records with Salesforce. As credit card information is not stored in such records, such data was not part of the breach.
Representatives from VolunteerMatch, which links prospective volunteers with opportunities, and Salesforce, a customer relationship management platform, both based in San Francisco, declined comment. Requests for information beyond what was posted on respective websites and email lists, including the total number of pieces of data compromised, were also denied.
VolunteerMatch’s public and private label sites were not impacted by the breach, according to a FAQ list provided by a representative from the organization. All those who have been impacted have been notified of the breach, the FAQ continues, removing the necessity for nonprofits to send out organization-wide alerts.
The issue was first identified on Dec. 1, according to a posting on Salesforce’s website, when a Salesforce security partner noticed that the credentials of users had been compromised while logging into Salesforce. It is believed that the users’ computers were previously infected with malware and that the malware collected the users’ information while they logged in.
Pony, an initial downloader often delivered via phishing emails, and Vawtrak, malware delivered by Pony, are believed to potentially be involved in the breach.
Users who believe that they have been impacted by the malware are encouraged to scan all end-user systems with an up-to-date antivirus signature, according to the Salesforce website. VolunteerMatch reports that staffers are working in collaboration with partners from Salesforce to add multi-factor authentication to the log-in process as to prevent future breaches.
– Andy Segedin