Monitor identity breaches of Salesforce users with Identity Protection
Identity protection is a feature of WithSecure Cloud Protection for Salesforce (CPSF) that goes beyond file and URL scanning. It checks whether Salesforce user accounts – both internal (standard) and external (community) – have appeared in known third-party data breaches.
Identity protection gives Salesforce admins visibility into identity risks that standard Salesforce controls don’t surface, such as reused or leaked passwords. By continuously checking users against updated breach data, it helps you detect compromised accounts before attackers
Identity protection is built into WithSecure Cloud Protection for Salesforce and requires no separate license or integration. It requires active WithSecure Cloud Protection for Salesforce user-based licenses.
Before you start
You can access Identity protection under Administration → Identity protection. By default, all identity protection settings are off.
Complete the following checks before enabling the feature:
- Ensure your active CPSF user licenses cover the user types you want to scan.
- Verify that assigned user licenses not exceed your purchased CPSF license count. Exceeding this limit triggers a “batch failed” error and prevents identity protection from running.
- Ensure that the connected app is enabled.
- Only standard and community users are scanned. Integration and automation users are excluded from breach checks.
How identity protection works
Identity protection checks Salesforce user email addresses in encrypted form against a continuously updated database of known data breaches, surfacing any accounts that may be at risk.
You can configure identity protection to scan all users or a chosen subset, depending on your license count and preferences:
- All users: Scans all standard and community users, provided the total user count is within your license limit.
- Selective users: Scans a chosen subset of standard and/or community users, up to your license limit.
The breach scan job runs automatically based on your configured schedule. In-app notifications are sent when scans start and when they complete.
Schedule a breach scan
Breach scans run on a weekly schedule. Set the day and time that works best for your organization.
- Go to Administration → Identity protection.
- Under Schedule scan, choose the preferred day and time for the weekly scan.
- Click Save.
What to expect
- Each scan can take up to three days to complete from the time it starts.
- You receive in-app notifications in CPSF when the scan starts and again when it finishes.
- Breach results appear in the Identities section as the scan progresses – you do not need to wait for the job to finish.
All breach results are available within three days of the scan start date.
View breach details
When a breach is detected, identity protection displays detailed metadata sourced from a third-party threat intelligence team. The table below describes each field.
Reading the breach details
| Field | Description |
|---|---|
| Breach date | The date on which the breach occurred. |
| Title | Breach title, if available. Generic if undisclosed. |
| Website | Website of the breached organization, when available. |
| Acquisition date | When the research team first obtained the data. |
| Breach category | How the data was breached (combolist, exfiltrated, exposed, infostealer, phished, scraped, unknown_). |
| Confidence | Confidence in the breach source (Low, Medium, High). |
| Breach main category | General classification: combolist, breach, or malware. |
| Publish date | When the breach became public. |
| Type | Public (found online) or Private (exclusive threat intelligence). |
| Num records | Number of records parsed and deduplicated from the breach. |
| Sensitive source | Indicates whether the breach source is sensitive. |
| Consumer category | Categorization for product or service mapping. |
Review identity events
Identity events provide a detailed log of breach activity across your Salesforce users. Each event records the date and time of the breach, its risk severity, the breach reason, and the affected user.
You can use search values to narrow results. Supported values are TIME, RISK, REASON, and USER or use visual filters.
Example:
To find all critical breaches for a specific user:RISK=Critical, USER=John Doe
Notifications
Identity protection generates in-app notifications for key events: configuration changes, scheduled scan status updates, and detected user breaches.
How severity is classified in alerts
| Severity | Reason |
|---|---|
| Informational | Configuration updated |
| Informational | Breach check job started or completed |
| Critical | Connected app disconnected due to missing permission set |
| Critical | Identity protection disabled due to feature parameter |
| Critical | Identity protection disabled due to connected app issue |
| Critical | Breach check failed due to data processing region change |
| Critical | Breach check exceeded the maximum number of users |
| Critical | Users exposed to third-party data breach |
| Critical | License limit exceeded — feature inactive for extra users |
Verify the setup
Once enabled, use the following checks to confirm that identity protection is working correctly.
- Go to Administration → Identity protection to confirm that the feature is enabled and settings are saved.
- Verify that notifications appear when the scheduled breach job runs.
- Review Identity events in Analytics to confirm breach records are being logged.
Frequently asked questions
What is identity protection in WithSecure Cloud Protection for Salesforce?
Identity protection is a feature in WithSecure Cloud Protection for Salesforce that detects Salesforce user credentials exposed in third-party breaches.
Early detection of credential compromise enables Salesforce administrators and security teams to act before attackers get the chance to exploit it.
Why is identity protection needed in Salesforce?
Salesforce doesn’t monitor for exposed credentials, and stolen logins are involved in 22% of all data breaches globally (Verizon DBIR 2025).
When users reuse the same passwords across different services, which is known as password reuse, a breach in one system can compromise many others.
If an employee, partner, or community user’s credentials are leaked elsewhere, attackers can use those logins to access Salesforce as a trusted user.
Identity protection provides early detection and visibility inside Salesforce. Existing security tools have no scalable coverage for community user monitoring.
Which Salesforce users does identity protection monitor?
Identity protection in WithSecure Cloud Protection for Salesforce covers both internal and external user types:
Internal Salesforce users: Employees, administrators, and system accounts. Detect compromised credentials early to prevent unauthorized access or privilege escalation.
Community and partner users: Experience Cloud and partner logins often fall outside corporate security controls. WithSecure Cloud Protection for Salesforce uniquely monitors these accounts at enterprise scale — reducing the risk of impersonation, supply-chain abuse, and data exposure.
How does identity protection work?
Identity protection continuously scans Salesforce user email identifiers (securely hashed) against a combination of proprietary, commercial, and dark-web breach intelligence feeds.
This hybrid approach detects new exposures 3–6 months earlier than any public or open-source lists.
If a user’s credentials appear in a known data leak, the system flags it directly in the Cloud Protection for Salesforce dashboard, complete with breach metadata and severity information.
You’ll know:
Which users were exposed — and when
The breach source and password format
How severe the risk is
How often does identity protection run scans?
By default, identity protection scans run automatically every week. Threat intelligence feeds for credential compromises are updated daily.
Does identity protection automatically block or disable users?
No. Identity protection provides early detection and visibility, but control for response actions stays with the administrator to avoid unwanted disruption.
You decide when to reset credentials or apply other remediation steps.
Do I need to enable the connected app for identity protection to work?
Yes. The connected app must be active to use the identity protection feature.
Where can I see breach results?
Detected breaches appear under Administration → Identity protection and in the Analytics → Identity events section.
Is identity protection included in my existing license?
Yes. Identity protection is part of the WithSecure Cloud Protection for Salesforce user-based license and doesn’t require an additional license or add-on. However, it is not currently supported by volume-based licenses.
Does enabling identity protection have any data processing or compliance implications?
All email addresses are encrypted before matching with breach records. Please note that encrypted email addresses may be processed outside your normal data processing data region. By turning on the Identity Protection feature, you confirm that your organization as the data controller has a legal basis for processing the personal data of individuals covered by the Identity Protection feature and that the Data Processing Agreement applies.
Does Identity Protection process personal data?
Some personal data may be processed in the Identity Protection feature, namely the email address and related breach data. Such personal data is stored in encrypted form and processed in accordance with the Data Processing Agreement. Please note that the data in the Identity Protection feature may be processed outside your normal data processing data region.
For more information on privacy in WithSecure Cloud Protection for Salesforce, please see the WithSecure Cloud Protection for Salesforce Privacy Policy.