Salesforce Security Guide

Clouds with binary code floating aboveCloud with binary code floating above

No Results

Search Tips:

  • Please consider misspellings
  • Try different search keywords
Salesforce Security Guide
Salesforce Security Basics
Authenticate Users
Give Users Access to Data
Share Objects and Fields
Strengthen Your Data’s Security with Shield Platform Encryption
Audit and Monitor Your Organization’s Security
Real-Time Event Monitoring
Real-Time Event Monitoring Definitions
Considerations for Using Real-Time Event Monitoring
Enable Access to Real-Time Event Monitoring
Stream and Store Event Data
Create Logout Event Triggers
How Chunking Works with ReportEvent and ListViewEvent
Enhanced Transaction Security
Threat Detection
Session Hijacking
Credential Stuffing
Investigate Credential Stuffing
Report Anomaly
API Anomaly
Guest User Anomaly
View Threat Detection Events and Provide Feedback
Event Log File Browser
Store and Query Log Data with Event Log Objects
Security Guidelines for Apex and Visualforce Development
API End-of-Life Policy
PDF

Investigate Credential Stuffing

Here are some tips for investigating a credential stuffing attack.
Available in both Salesforce Classic (not available in all orgs) and Lightning Experience.
Available in: Enterprise, Unlimited, and Developer Editions

Requires Salesforce Shield or Salesforce Event Monitoring add-on subscriptions.

Start by querying these Real-Time Event Monitoring events that provide detailed information about the attack. In particular:

  • CredentialStuffingEvent and its storage equivalent CredentialStuffingEventStore track when a user successfully logs into Salesforce during an identified credential stuffing attack.

    If the CredentialStuffingEvent object contains a record, an attack occurred in the past and Salesforce security has already taken care of the security issue. You don’t do anything other than investigate the attack for your own purposes.

    Important

  • LoginEventStream and its storage equivalent LoginEvent track all login activity in your Salesforce org.

For example, say that your org receives a CredentialStuffingEvent. The first thing you do is look at relevant fields of the event to get basic information about the attack, such as:

  • UserId: The user’s unique ID. Use this ID to query LoginEvent for more login information.
  • EventDate: When this attack occurred.
  • Summary: A text summary of the event.

See the API documentation for the full list of fields.

This sample SOQL query returns these field values. 

SELECT UserId, EventDate, Summary FROM CredentialStuffingEventStore

You can use this type of query to identify the users in your org that were affected by the credential stuffing attack. These users reused their org password in other websites or their password follows a common pattern and isn’t strong enough. Educate your users on how they can create and manage strong passwords to protect your org.

Also consider improving your security with password protection. You can set password history, length, and complexity requirements. You can also specify what to do when a user forgets the password. Salesforce requires the use of multi-factor authentication (MFA) for all logins to the user interface — make sure MFA is enabled for all your users. Finally, investigate enabling Lightning Login for password-free logins.