Faulty Database Script Exposed Salesforce Data to Wrong Users

Salesforce Shuts Down Instances After Database Script Erroneously Enabled All Permissions on User Profiles


Salesforce deployed a database script last week that inadvertently enabled all permissions for all user profiles in some organizations, resulting in everyone inside a company to have access to their company's Salesforce data. 


The rollout resulted in “modify all” permissions being enabled for all user profiles, including Standard and Custom profiles. The issue, Salesforce said, impacted customers that were using the Pardot service or which previously used the Pardot service. 


To mitigate impact, Salesforce decided to block access to instances that contained affected customers, which prevented access for all users, including admins. As a result, even customers who were not impacted by the script deployment experienced service disruption. 


“The deployment of a database script resulted in granting users broader data access than intended. To protect our customers, we have blocked access to all instances that contain impacted customers until we can complete the removal of the inadvertent permissions in the impacted customer orgs. As a result, customers who were not impacted may experience service disruption,” Salesforce said


The issue emerged on Friday, May 17, but Salesforce was able to restore access for users with a System Administrator profile by the next day. It also restored full access to customers unaffected by the database script issue. 


The list of affected instances includes NA42, NA44, CS50, CS51, CS59, CS138, CS99, NA92, NA56, NA49, CS97, CS93, CS79, CS78, CS69, NA155, NA196, NA99, CS17, EU8, EU9, EU12, EU13, NA60, NA61, NA64, NA67, NA79, CS8, CS94, and many more (over 100). 


After restoring administrator access to all affected orgs, ..