That API Token in Your Custom Label? It's a Bigger Risk Than You Think.

Just last week, I was reviewing a Salesforce implementation and found a critical security risk: an API token stored plainly in a Custom Label. It was a challenging situation because the client was hesitant to invest in fixing the setup, despite my recommendations to use a secure tool like Named Credentials or at least Protected Custom Metadata. I warned that insecure tokens could be used to corrupt the very data they rely on in Salesforce.

The timing of what happened next was startling. A week later, on August 27th, Google's Threat Intelligence Group (GTIG) released an advisory about a widespread data theft campaign by a threat actor, UNC6395, targeting Salesforce instances. The attack vector involved compromised authentication tokens from a third-party application, proving how easily insecure credentials can become a gateway for data theft.

This experience often makes me feel like a dentist telling a patient to treat a small cavity. It’s a minor fix now, but if you ignore it, you’ll eventually need a root canal—a far more painful and expensive procedure.

It's the same with API tokens and Salesforce security. It is significantly cheaper to address these vulnerabilities now than to wait until disaster strikes. The cost of a data breach isn't just financial; it's your customers complaining about their data being accessed by an unauthorized party. If you handle sensitive information for services like medicine or banking, keeping your security at the highest level isn't just a best practice—it's crucial for survival.

If you would like to discuss the security of your Salesforce organization, please book a consultation with me.