Salesforce Community Leaks Private and Sensitive Data

A shocking number of organizations including banks and healthcare providers are leaking private and sensitive information from their public Salesforce community websites. The data exposure all stems from a misconfiguration in Salesforce community that allows an unauthenticated user to access records that should only be available after logging in. For example, on Monday the state of Vermont had at least five separate Salesforce community sites that allowed guest access to sensitive data Including a pandemic unemployment assistance program that exposed the applicant's full name social security number address phone number email and bank account number.