Salesforce, one of the most trusted platforms, serves companies all across the globe. But when it comes to security, there is a catch. Every day, vast amounts of data are stored in the cloud, and these can be a gold mine for cybercriminals. Using attack techniques like phishing, credential stuffing, and SQL injection, cybercriminals get unauthorized access to the most valuable information.

One of the most abysmal attacks is credential stuffing, in which attackers use compromised account credentials for their own benefit. In 2020 alone, around 17 million stolen records were ready to compromise user accounts. Hence, implementing ideal security methods for your Salesforce data is a necessity. 

In this blog, you will learn all the details about credential stuffing and the best possible ways to prevent it in Salesforce.

What is Credential Stuffing and How Does It Work?

Credential stuffing or credential spills refers to an attack where usernames along with passwords are stolen and used to gain access to user accounts. 

An attacker with malicious intent uses automated sign-in requests on a larger scale to fraudulently access accounts on web apps like Salesforce. It is basically a subset of a brute force attack, but the attack techniques are quite different. 

hacker cybersecurity

In a brute force attack, the attacker uses random strings to try to guess the credentials of a user’s account, whereas, in credential spills, the attacker already knows the passwords and usernames. Hence, the user’s credentials have been “spilled”.

The attacker does the following when performing a credential stuffing attack:

  1. Through a fake IP address, the attacker starts by using a bot to try to log into multiple user accounts simultaneously as the user.
  2. The stolen credentials are “stuffed” into multiple sites using automation. When used on multiple sites at once, there is no need to repeat the log-in process on a single website.
  3. After a successful login, the attacker gains access to all sensitive information, including PII (personally identifiable information) and credit card details.
  4. Some attackers also retain the account information so that they can use it in the future for any other service.

How Salesforce Identifies Credential Stuffing?

confused man glasses

In order to protect your data, Salesforce utilizes various detection techniques to detect credential stuffing attempts. 

It analyzes the traffic volume for various user bases across the entire Salesforce system. It becomes extremely important for organizations to identify fraudulent attempts and mitigate them as soon as possible. The detection engines follow these paths to determine the problem.

data analytics
  • First, the detection algorithm analyses the traffic patterns for credential stuffing. It identifies credential stuffers when multiple credentials come from one endpoint fingerprint during a short period of time.
  • Another method that is used for detecting stuffers is time bucketing analysis. It works in the following way:
    1. The traffic analyzer first analyzes the web traffic and, then it then proceeds to extract browser fingerprints along with other indicators, which indicates the case of a potential compromise. 
    2. After it is confirmed that accounts are accessed by attackers, Salesforce requires the user to reset their password quickly.
    3. When this happens, the Salesforce platform sends an Identity Challenge Verification notification to the user, which the user has to first complete, and then can reset their password.

Methods you can use to Prevent Credential Stuffing in Your Salesforce Org

1. Set Up Multi-Factor Authentication:

 With multi-factor authentication, it becomes difficult for credential stuffers to perform an attack. Now logging into an account requires more than just a username and password. Once you enable MFA in Salesforce, you will require user credentials and other security options like an one-time code or an Authenticator app. This extra protection layer combats credential stuffing and blocks their attack plan right there. This is one of the best things you can to do block an attack.

finger print security

2. Enable IP Restrictions:

By now, you might know that credential stuffers leverage multiple IP addresses to access user accounts. However, Salesforce allows you to allow access to your Salesforce Org from only trusted IP addresses.

3. Enable Time Based Restrictions:

Salesforce provides for the ability to limit the time of day that a user can login to Salesforce. This may not be ideal for all customers of Salesforce, but limited the timeframe that a user can login to Salesforce, such as only during working hours, will also limit when an attacker could be successful with a credential stuffing attack.

4. Implement reCAPTCHA: 

login prompt

CAPTCHA is an effective technique to prove whether the action is performed by a bot or a human. It not only prevents spambots but also restricts any abusive traffic on the platform. 

When implementing Salesforce Digital Experiences, reCAPTCHA can be used to slow down credential stuffing attacks. When reCAPTCHA is utilized, attackers would no longer be able to automate attacks, but would have to resort to more manual and inefficient techniques to penetrate user accounts.

Salesforce supports the use of reCAPTCHA out of the box. To enable it, simply navigate to the reCAPTCHA settings in the Digital Experience Admin Console and complete the setup as outlines in the Salesforce help instructions

5. Track Stuffing Attempts Through Salesforce Shield Event Monitoring:

Through machine learning, Salesforce Event Monitoring helps in finding anomalies that could lead to data breaches. This feature enables you to evaluate up to 90 days of data and identify whether there is any difference in behaviour. In the event of an anomaly detection, the admin gets an email from Salesforce regarding the risk.  

6. Set Appropriate User Permissions:

Even though restricting user permissions will not stop a credential stuffing attack, it will limit what an attacker can do, if they gain access to a user’s account. It is a best practice to follow the “need to know” principle, giving access to users only required to perform their duties, and nothing more. The less permissions any one user has, the less an attacker can do if they manage to penetrate a user’s account.  

7. Virus Scan all files uploaded to Salesforce:

cloud security

Many people don’t know that Salesforce does not scan files uploaded for viruses. Viruses, don’t exactly aid in credential stuffing, but they are used to aid in stealing your data and credentials. Finding out whether your Salesforce system contains any vulnerabilities or not is imperative. A virus scanner can check all documents and emails so that you remain assured that no viruses are stealing your Salesforce data. 

EzProtect is a great cybersecurity solution created to protect your system from scams or attacks arising from viruses. Neglecting a single virus can result in loss of millions and reputational damage. Check out this video specially created by our founder and CEO Matt Meyers, about “What is the big deal about viruses in Salesforce, and why you should care.”

8. Perform Regular Audits:

Performing frequent audits can go a long way toward safeguarding your data. By auditing the Salesforce account, you can identify any potential threats or vulnerabilities. It also helps to detect any live breaches that can lead to data loss or downtime.


In this technologically advanced world where data rules, stealing credentials and abusing them have become a common practice. Organizations are concerned and looking for ways to keep their Salesforce data safe. The above-mentioned methods do provide a protective barrier against credential stuffers, but performing a regular security assessment is an additional assurance to keep your data safe.

Protection from vulnerabilities is not a tough task, but an important one! Get a free security assessment and detect threats that could possibly be a danger in the future.

By Published On: July 31, 2023Categories: Cybersecurity, Virus scanning0 Comments


Did you love this blog and wish there could be more?

It is our goal to keep you informed about everything you need to know about Salesforce security to keep your Salesforce data and company safe and secure by providing you with the highest quality of original content.

If this sounds good to you, then sign-up below to be one of the first to know when the next super awesome Salesforce security blog has been released.

Download your free guide today!

Learn if you are at risk and how to start protecting your users!