October 22, 2007. In a not so funny story and as reported in the Washington Post, MarketWatch and various other web sites, hackers successfully breached salesforce.com's hosted system, retrieved over a million customer records and have successfully used that customer data against the customers themselves in phishing scams. Other misuse and damages stemming from the compromised customer data is expected.
Two of the more notable salesforce.com compromised customer accounts were ADP and SunTrust Banks. I believe ADP is the nations largest payroll processing provider and also one of salesforce.com's largest customers (although that might now be changing). While the investigations are ongoing, reports indicate that about 900,000 ADP customer accounts and about 40,000 SunTrust Banks customer accounts were hacked and stolen from the hosted salesforce.com database. These ADP and SunTrust customers have already been phished by the hackers - many successfully.
Now the extended questions persist. Why was salesforce.com's hosted system vulnerable and are other hosted CRM software solutions vulnerable? For the first question, I really don't know. Phishing is an extremely common threat for which most hosted software companies and the rest of the online world retain adequate defenses. I'm really surprised that the CRM industry software giant was compromised to this magnitude. I can only suspect that this is an isolated incident.
While I'm concerned that such a recognized and frankly simple hack could break down the security walls of the largest CRM software hosting company, I've reviewed the web sites of several competitors (NetSuite, Oracle, Aplicor and Entellium) and noted that these CRM software companies publish security credentials, audits and certifications. Perhaps its no coincidence that the CRM company that got hacked is the one that doesn't publish - are presumably achieve - the security riggers and safeguards of the others. Just my opinion.