An error involving in a Salesforce marketing cloud API could have allowed third parties to access data or for data to be corrupted.
“During a Marketing Cloud release that was rolled out between June 4, 2018 and July 7, a code change was introduced that may have caused a small subset of REST API calls to improperly retrieve or write data from one customer's account to another,” the company said in an advisory.
“We have no evidence of malicious behavior associated with this issue,” Salesforce said, noting its security team discovered the error July 18 and deployed an emergency release the same day, which resolved “the issue for all Marketing Cloud stacks.”
But Anthony James, CMO, CipherCloud, was troubled that “Salesforce seemed unable to provide logging to show exactly who, if anyone, accessed the data and when.”
The error presents the potential for data exposure failure as well as “a compliance failure depending on what data was potentially exposed,” James said. “This incident also exposed the weakness of Salesforce engineering of letting such a critical vulnerability passing through their checks.”
The company said it had notified those potentially affected by the incident but James called it “concerning that the breach is being handled via email to individual customers.”