this intrusion did not stem from a security flaw in our application or database
Modify your Salesforce implementation to activate IP range restrictions. This will allow users to access Salesforce only from your corporate network or VPN, thus providing a second factor of authentication.
If they had done that, this wouldn't have happened. But, they can sure advise me. Hmmm, that Sugar CRM run on my own site is beginning to look better and better.
Am I the only one who sees the irony in this?