Monitor identity breaches of Salesforce users
Identity protection extends WithSecure Cloud Protection for Salesforce capabilities beyond file and URL scanning. It detects when Salesforce user accounts – both internal (standard) and external (community) – may have been exposed in third-party data breaches.
It gives Salesforce admins visibility into identity risks that standard Salesforce controls don’t surface, such as reused or leaked passwords. By using continuously updated breach intelligence, identity protection helps you detect compromised accounts before attackers can exploit them for data exposure, fraud, impersonation, or unauthorized access.
Identity protection is built into WithSecure Cloud Protection for Salesforce and requires no separate license or integration. It requires active WithSecure Cloud Protection for Salesforce user-based licenses.
Before you start
You can access Identity protection under Administration → Identity protection. By default, all identity protection settings are off.
Before enabling the feature:
- Make sure your active CPSF user licenses match the user types you want to include in breach checks.
- Check that assigned user licenses don’t exceed your purchased CPSF user licenses. If they do, you’ll see a “batch failed” error and identity protection can’t be enabled.
- Confirm that the connected app is enabled.
- Identity protection can scan standard and community users. Integration and automation users are excluded.
How identity protection works
Identity protection scans Salesforce user email addresses to detect potential data breaches.
Depending on your organization’s setup:
- All users: Scans all standard and community users, as long as the total number of users is within the license limit.
- Selective users: Scans only selected standard and/or community users within the license limit.
The breach scan job runs automatically based on your configured schedule. Notifications appear in the CPSF app when scans start and complete.
Schedule a breach scan
You can schedule breach scans weekly to run on a specific day and time.
- Go to Administration → Identity protection.
- Under Schedule scan, select the day and time for the weekly breach lookup.
- Click Save.
What to expect
- Once started, each scan takes up to three days to complete.
- Notifications appear in the CPSF app when the scan starts and when it completes.
- Breach records become visible progressively as the job runs.
Within three days after the scheduled scan starts, identity protection provides updates on breaches found.
View breach details
Each detected breach includes detailed metadata provided by a third-party research team.
Reading the breach details
| Field | Description |
|---|---|
| Breach date | The date on which the breach occurred. |
| Title | Breach title, if available. Generic if undisclosed. |
| Website | Website of the breached organization, when available. |
| Acquisition date | When the research team first obtained the data. |
| Breach category | How the data was breached (combolist, exfiltrated, exposed, infostealer, phished, scraped, unknown_). |
| Confidence | Confidence in the breach source (Low, Medium, High). |
| Breach main category | General classification: combolist, breach, or malware. |
| Publish date | When the breach became public. |
| Type | Public (found online) or Private (exclusive threat intelligence). |
| Num records | Number of records parsed and deduplicated from the breach. |
| Sensitive source | Indicates whether the breach source is sensitive. |
| Consumer category | Categorization for product or service mapping. |
Review identity events
Identity events track breach activity for Salesforce users. Each event includes the breach date and time, risk type, breach reason, affected user, and other related information.
You can use search values to narrow results. Supported values are TIME, RISK, REASON, and USER.
Example:
To find all critical breaches for a specific user:RISK=Critical, USER=John Doe
Notifications
Identity protection generates in-app notifications for configuration changes, scheduled scans, and detected breaches.
How severity is classified in alerts
| Severity | Reason | Source |
|---|---|---|
| Informational | Configuration updated | Administration |
| Informational | Breach check job started or completed | Administration |
| Critical | Connected app disconnected due to missing permission set | Administration |
| Critical | Identity protection disabled due to feature parameter | Administration |
| Critical | Identity protection disabled due to connected app issue | Identity protection |
| Critical | Breach check failed due to data processing region change | Identity protection |
| Critical | Breach check exceeded the maximum number of users | Identity protection |
| Critical | Users exposed to third-party data breach | Identity protection |
| Critical | License limit exceeded — feature inactive for extra users | Administration |
Verify the setup
- Check Administration → Identity protection to confirm settings are enabled.
- Verify that notifications appear when the scheduled breach job runs.
- Review Identity events in Analytics to confirm breach records are being logged.
Frequently asked questions
What is identity protection in WithSecure Cloud Protection for Salesforce?
Identity protection is a feature in WithSecure Cloud Protection for Salesforce that detects Salesforce user credentials exposed in third-party breaches.
Early detection of credential compromise enables Salesforce administrators and security teams to act before attackers get the chance to exploit it.
Why is identity protection needed in Salesforce?
Salesforce doesn’t monitor for exposed credentials, and stolen logins are involved in 22% of all data breaches globally (Verizon DBIR 2025).
When users reuse the same passwords across different services, which is known as password reuse, a breach in one system can compromise many others.
If an employee, partner, or community user’s credentials are leaked elsewhere, attackers can use those logins to access Salesforce as a trusted user.
Identity protection provides early detection and visibility inside Salesforce. Existing security tools have no scalable coverage for community user monitoring.
Which Salesforce users does identity protection monitor?
Identity protection in WithSecure Cloud Protection for Salesforce covers both internal and external user types:
Internal Salesforce users: Employees, administrators, and system accounts. Detect compromised credentials early to prevent unauthorized access or privilege escalation.
Community and partner users: Experience Cloud and partner logins often fall outside corporate security controls. WithSecure Cloud Protection for Salesforce uniquely monitors these accounts at enterprise scale — reducing the risk of impersonation, supply-chain abuse, and data exposure.
How does identity protection work?
Identity protection continuously scans Salesforce user email identifiers (securely hashed) against a combination of proprietary, commercial, and dark-web breach intelligence feeds.
This hybrid approach detects new exposures 3–6 months earlier than any public or open-source lists.
If a user’s credentials appear in a known data leak, the system flags it directly in the Cloud Protection for Salesforce dashboard, complete with breach metadata and severity information.
You’ll know:
Which users were exposed — and when
The breach source and password format
How severe the risk is
How often does identity protection run scans?
By default, identity protection scans run automatically every week. Threat intelligence feeds for credential compromises are updated daily.
Does identity protection automatically block or disable users?
No. Identity protection provides early detection and visibility, but control for response actions stays with the administrator to avoid unwanted disruption.
You decide when to reset credentials or apply other remediation steps.
Do I need to enable the connected app for identity protection to work?
Yes. The connected app must be active to use the identity protection feature.
Where can I see breach results?
Detected breaches appear under Administration → Identity protection and in the Analytics → Identity events section.
Is identity protection included in my existing license?
Yes. Identity protection is part of the WithSecure Cloud Protection for Salesforce user-based license and doesn’t require an additional license or add-on. However, it is not currently supported by volume-based licenses.
Does enabling identity protection have any data processing or compliance implications?
All email addresses are encrypted before matching with breach records. Please note that encrypted email addresses may be processed outside your normal data processing data region. By turning on the Identity Protection feature, you confirm that your organization as the data controller has a legal basis for processing the personal data of individuals covered by the Identity Protection feature and that the Data Processing Agreement applies.
Does Identity Protection process personal data?
Some personal data may be processed in the Identity Protection feature, namely the email address and related breach data. Such personal data is stored in encrypted form and processed in accordance with the Data Processing Agreement. Please note that the data in the Identity Protection feature may be processed outside your normal data processing data region.
For more information on privacy in WithSecure Cloud Protection for Salesforce, please see the WithSecure Cloud Protection for Salesforce Privacy Policy.