Salesforce? Salesfarce: Cloud giant in multi-hour meltdown after database blunder grants users access to all data

GDParrrggh....

Rubs hands together before going down the shops to buy some popcorn ....

This is going to be fun !

Yet another one to add to my list when I find myself yet again infront of someone who thinks I'm bonkers for not embracing the magic cloud.

Lying bastards

We noticed this at 10am UTC. We shut our own instance and watched as they fucked around trying to fix this without telling anyone for 8 hours. Cunts.

I predicted something like this happening 3 years ago...

https://www.linkedin.com/pulse/salesforcecom-outage-beginning-end-manuel-breschi/

"... The next level of data disruption I expect to happen some day - at this point probably sooner than later - is when a sales rep will start her working day by handling service requests, orders and any kind of activity and will just realize by the end of the day that those leads were not actually her company's ones, but those of another enterprise, because the same database instance lost the information about the tenant and data would be visible to every customer sharing the same space. Ooppss!"

The outage is small compared to the data breach here. Granting access to all users to all data across the entire system from one script should make every customer on SalesForce run for the hills. SalesForce had no choice but to shut everything down as now they and all of their customers may have broken data privacy law (HIPPA, GDPR, etc.)

Remember - The CLOUD

Is nothing more than renting someone else's computer that other people are on too

Not all cloud providers are created equally

All of you naysayers of the cloud amuse me.

Yes, a cloud implementation is renting computing in somebody else’s data centre, but that doesn’t mean it is more prone to breaches etc than your own data centre, it just means that you need to manage that risk somewhere else.

For example, you could go with a cloud based provider that will implement single tenant systems (just your stuff on the databases you have rented) rather than multi-tenant such as the Salesforce model

To Cloud or Not To Cloud

So... The moral of the story is to use an on-premise CRM?

Separating DBs

My recent experience with a major cloud provider is that proper DB separation isn't something that is particularly easy achievable or well documented, especially in their "off the peg" auto-scaling environments. You still really have to roll your own mechanisms to achieve this. For our project we ended up blowing a large amount of a recent project budget on implementing this better than the environment was pushing you to. That came as quite a surprise, I'd have thought that by now DB compartmentalisation would be de riguer!

I strongly suspect that a large number of service providers who really ought to have absolute DB and CDN separation don't. I won't name names, but having researched this in depth I think that this same mistake could happen for some of the largest:

financial/bookkeeping service providers,

note/document storage apps,

CRM systems,

mail providers,

DDOS prevention providers.

... all of these I investigated when I was trying to get advice on how best to do this ourselves. It's very hard to find any companies which advertise that they use proper DB separation/encryption so that client data is compartmentalised. Why wouldn't you advertise it? Because you know that you are sat on monolithic DBs and CDNs which *can* be compromised in a big way by a single small mistake.

no consequences

as was said previously: ""So it will happen again and again and again..." - especially when you employ the cheapest, most unskilled tech folk you can find."

and the reason it will happen again and again is that there are no consequences for the toad that hired the cheap unskilled tech. the tech will get thrashed but the manager and director and VP above will still get bonuses even though everyone in the company knows who really is to blame.

Thsi type of farce has played out in every one of the companies I have worked for in my 30 years : / without exception.

until some higher up loses a bonus because they created a bad situation by faulty management ( Mr. Fawlty, Mr. Fawlty) it will continue as an endemic disease in all companies.

* warning: no sarcasm was used in this posting. end

They are full of it in some ways - They're being transparent but transparent like a muddy pond.

As someone who works heavily with Salesforce (anon so I don't get the paddle) I can say that they really cocked up with this one. They claim or formerly claimed not to do this type of stuff outside of a maintenance window. From what I can tell they added some enhancements to their Pardot product and were trying to change access to what objects the built in Pardot account could see. This impacted any org that ever had Pardot installed - even as a trial. Again - they have maintenance windows for product updates but as they get larger and larger they seem to be doing more one off updates outside of those windows.

For all the technical people here's a Salesforce primer - the idea of permissions do not exist as you or I would know SQL flavor of the week/Oracle permissions. They have some type of permission black magic voodo layer that runs on top of the Oracle DMBS and handles the multi-tenancy and organization (the company using Salesforce) level permissions. So the permissions they cocked up were org level object permissions. Salesforce permissions allow you to grant CRUD access to objects (tables) and for those toplink/hibernate folk you'll get Salesforce's object terminology. I only noticed the problem when my clients started pinging me that anyone without admistrator permissions could do anything in Salesforce. I have no idea if they accidentally granted read/modify all on objects (still organization level) to individual users because honestly most companies actively using Salesforce don't care if people can do too much, only that they can't do anything.

But that explaination still doesn't hold water with me because they didn't just revoke the modify all/read all permissions on these users, they revoked all permissions on these users. They removed all CRUD object level access to the point where some users couldn't even log in. Those that could were not able to do anything in the system. They did all of this in a way that was not correctable through the UI. So when I tried to grant read access to helpdesk users on the case object, I just received a nasty red Oracle error. They left the system in a place where it wasn't even admin correctable.

The whole time the site that they have to provide system status (trust.salesforce.com) was showing a big green check box that everything was wonderful. Yet when I went to go log a case with Salesforce they had a message that they were having these problems. Good enough for case deflection, not good enough for the marketing site to show how much uptime they have.

I still think Salesforce is a decent product, but I think everyone who hears cloud doesn't realize what they're actually selling. This is more like you paying someone to run their software - same as if I paid an ISV to use a product that ran on their premises. It's not like AWS, Rackspace, et al. where you run a virtualized machine that you can do anything you want with it. I do have some problems with the way they've outsourced their support who just read the help documentation back to me, or the way I think some of these screwups are the result of them trying to continue to show year over year growth when they have already sold to must people who are willing to buy.

Oopsie

Looks like someone forgot to add the WHERE clause to the script before they hit execute.

Hosting / Cloud providers don't learn from others mistakes (or even their own sometimes) even with a single tenant solution a tired/inattentive sysadmin can have devastating effects, i still shudder when i think of all the VPS instances that 123 reg nuked a few years ago whilst trying to delete inactive VM's

All your base are belong to us... had to say it...