Marketing data remained exposed for six weeks
Salesforce, a cloud-hosted business relationship management software company, warns some users of its Marketing Cloud that any stored information may have been viewed or modified by third parties due to an API error persistent from 4 June to July 18, as reported by experts in enterprise network security from the International Institute of Cyber Security.
A statement from the company mentions that the flaw involved the programming interface of a company’s app. “Between June 4 and July 7, 2018, in a Marketing Cloud version, a code change was introduced that, in exceptional cases, could have caused the REST API calls to recover or write data from one customer account to another inadvertently”.
The bad news for Salesforce customers is that the company says it does not know if the data were inadvertently altered or maliciously manipulated, although they mention that there is no evidence of malicious hacker intervention.
But the safety statement does not definitively deny that such malicious activity did not occur. “We cannot confirm whether the data was viewed or modified by another customer. As a result, we are notifying all potentially affected customers who accessed Marketing Cloud during this period”, the statement mentions. “While Salesforce’s enterprise network security experts continue to performing quality testing on this issue, we strongly recommend users to carefully monitor their data to ensure their accounts’ security”.
The Salesforce statement does not describe how their enterprise network security team identified the problem. The company said it relates the problem to “A recent code change introduced during a Marketing Cloud publication that modified the way the REST API calls were processed in marketing cloud”, and was detected on July 18.
“When the Salesforce security team learned of the situation on July 18, 2018, an emergency statement was issued on the same day to solve the problem”. The company then issued its email alert to potentially affected customers 15 days later.
Some Salesforce customers established in the UK mention that they were warned about the problem through a call from their Salesforce account manager one day before the email alert was distributed.
“Market with confidence and security2, says Salesforce on its website. “Whether you have dozens or billions of customers, send your personalized messages securely when you need them most”.
Along with sales and services, marketing is one of the key products of Salesforce. The premise of Marketing Cloud, and its main offer to its users, is that working with Salesforce allows them to address their customers from business to consumer and business to business using data they have already collected and stored in your system called Salesforce CRM.
Working as a cyber security solutions architect, Alisa focuses on bug bounty and network security. Before joining us she held a cyber security researcher positions within a variety of cyber security start-ups. She also experience in different industry domains like finance, healthcare and consumer products.