IDENTITY PROTECTION | CREDENTIAL COMPROMISE MONITORING
Early detection of compromised Salesforce accounts
Identity Protection in WithSecure Cloud Protection for Salesforce detects compromised Salesforce user credentials before attackers use them.
Dark-web breach intelligence
Covers internal and community users
Credential compromise is among top attack methods — Salesforce is not immune
Attackers buy breached passwords from the darkweb to take over legitimate user accounts.
Compromised accounts can be used to impersonate trusted users, access data, or alter workflows. Identity risk is greatest in environments with community users, like Experience Cloud and partner portals, where the users are outside corporate identity controls. These risks go unseen and are often overlooked in Salesforce.
In Salesforce, a single compromised identity can open access to data, processes, and other identities and systems.
Detect compromised user credentials inside Salesforce
Identity Protection feature detects internal and community user accounts exposed in external data breaches – before attackers can use them to gain access. It continuously monitors Salesforce user credentials against verified third-party breach data, including dark-web sources.
Covers internal and community user accounts
Goes beyond traditional scraping – human researchers infiltrate dark web forums
Identifies compromised users even six months faster than open source intel
Offers detailed breach info (when, who, where, what was breached, risk severity)
How compromised credentials turn into a Salesforce breach
1. Third-party breach
A company your users rely on gets breached. Their email and password end up for sale on the dark-web.
2. Attackers collect and reuse credentials
Hackers grab those credentials and try them across different services – including Salesforce.
3. Unauthorized access
One of the breached login credentials works for your Salesforce. The attacker signs in as a real user, no alarms triggered.
4. Actions inside Salesforce
The attacker exploits the trusted account and starts manipulating integrations, moving laterally, exporting data, uploading ransomware.
Detect compromised credentials before the attackers
Account takeover
Detects exposed Salesforce credentials early so admins can stop unauthorized access.
Data exposure
Reduces the chance of sensitive records being accessed through stolen credentials.
Social engineering
Flags breached community user accounts before they’re used for data theft, impersonation or fraud.
Lateral movement
Prevents compromised accounts from being used to access other connected systems and users.
Continuous monitoring with the latest breach intelligence
Continuous exposure scanning
Scans Salesforce user accounts against breach intelligence to detect exposed credentials early.
Internal and community user coverage
Monitors identities in Salesforce from employee to partner users – often outside corporate visibility.
Rich breach intelligence
Uses the latest dark-web breach data for faster, richer detections (when, who, where, what, risk severity).
Breach history logs (12 months)
Identifies if a Salesforce user’s credentials have been involved in data breaches in the past year.
Certified and audit-ready
Trusted by public sector organizations, Fortune 500 enterprises, and highly regulated industries.
Frequently asked questions
What is Identity Protection in WithSecure Cloud Protection for Salesforce?
Identity Protection is a feature in WithSecure Cloud Protection for Salesforce that detects Salesforce user credentials exposed in third-party breaches.
Early detection of credential compromise enables Salesforce administrators and security teams to act before attackers get the chance to exploit stolen credentials – for example by enforcing password reset.
Why is Identity Protection needed in Salesforce?
Salesforce doesn’t monitor for exposed credentials, and stolen logins are involved in 22% of all data breaches globally (Verizon DBIR 2025).
When users reuse the same passwords across different services, which is known as password reuse, a breach in one system can compromise many others.
If an employee, partner, or community user’s credentials are leaked elsewhere, attackers can use those logins to access Salesforce as a trusted user.
Identity Protection provides early detection and visibility inside Salesforce. Existing security tools have no scalable coverage for community user monitoring.
Which Salesforce users does Identity Protection monitor?
Identity Protection in WithSecure Cloud Protection for Salesforce covers both internal and external user types:
Internal Salesforce users: Employees, administrators, and system accounts. Detect compromised credentials early to prevent unauthorized access or privilege escalation.
Community and partner users: Experience Cloud and partner logins often fall outside corporate security controls. WithSecure Cloud Protection for Salesforce uniquely monitors these accounts at enterprise scale — reducing the risk of impersonation, supply-chain abuse, and data exposure.
How does Identity Protection work?
Identity Protection continuously scans Salesforce user email identifiers (securely hashed) against a combination of proprietary, commercial, and dark-web breach intelligence feeds. Human analysts infiltrate dark web forums to uncover threat intelligence that is not available with traditional credential scraping tools.
This hybrid approach detects new exposures 3–6 months earlier than any public or open-source lists.
If a user’s credentials appear in a known data leak, the system flags it directly in the Cloud Protection for Salesforce dashboard, complete with breach metadata and severity information.
You’ll know:
Which users were exposed — and when
The breach source and password format
How severe the risk is
How often does Identity Protection run scans?
By default, Identity Protection scans run automatically every week.
Threat intelligence feeds for credential compromises are updated daily.
Does Identity Protection automatically block or disable users?
No. Identity Protection provides early detection and visibility, but control for response actions stays with the administrator to avoid unwanted disruption.
You decide when to reset credentials or apply other remediation steps.
How is Identity Protection different from other breach-detection tools?
Identity Protection is a feature of WithSecure Cloud Protection for Salesforce – a 100% Salesforce-native app, with no external connectors, or unnecessary data traffic outside the platform.
It covers Experience Cloud and community users (like partner accounts) at scale. User risks related to these Salesforce user types fall outside current enterprise security tools.
How does this support compliance and audit readiness?
Each detection event and admin action is logged, creating a verifiable audit trail.
This supports today’s compliance frameworks, and helps demonstrate proactive identity-risk management for internal and regulatory audits.
What are common use cases for Identity Protection?
Key use cases for Identity Protection feature include:
Detecting exposed employee Salesforce user credentials before attackers log in.
Monitoring high-risk external community users in partner and community portals built on Salesforce.
Strengthening third-party and supply-chain security posture in Salesforce.
Reducing the risk of fraud, impersonation, or data theft across Salesforce and connected systems.
What attack methods does Identity Protection protect against?
What attack methods does Identity Protection protect against?
Identity Protection helps prevent attacks that rely on compromised or reused credentials, including:
Supply-chain compromise — Attackers use compromised partner or customer logins to submit fraudulent transactions, upload malicious files, or move laterally into your systems. Detecting exposed external accounts stops these supply-chain attacks before they escalate.
Credential stuffing — Automated login attempts using usernames and passwords leaked from other services.
Account takeover — Using stolen credentials to access Salesforce as a legitimate user.
Social engineering with trusted identities — Using compromised user accounts to send phishing links or fraudulent requests inside Salesforce.
Early prevention is always cheaper than breach recovery.
Does Identity Protection process personal data?
Some personal data may be processed in the Identity Protection feature, namely the email address and related breach data. Such personal data is stored in encrypted form and processed in accordance with the Data Processing Agreement. For more information on privacy in WithSecure Cloud Protection for Salesforce, please see the WithSecure Cloud Protection for Salesforce Privacy Policy.
See the user risk before the breach happens
Get a Free Demo
THE #1 SALESFORCE MALWARE PROTECTION SOLUTION
Fill the form and get:
Free 15-day trial – test the product without limitations
Real attack simulation and product demo
Free customized and actionable risk assessment
