Cloud behemoth Salesforce.com is warning customers about an API error that may have leaked data for some users of its Marketing Cloud offering.
The issue was in play between June 4 to July 18, according to an alert that Salesforce.com sent out to customers Thursday. The issue potentially affected users of two modules within the broader Marketing Cloud offering: The Email Studio and Predictive Intelligence products.
The notice, first obtained by BankInfoSecurity and confirmed as authentic by Threatpost, described a code change that was introduced when Salesforce.com released an update to Marketing Cloud; the change resulted in incorrectly implemented REST API calls.
“In rare cases… REST API calls [could] retrieve or write data from one customer’s account to another inadvertently,” according to the alert. “Where the issue occurred, the API call may have failed and generated an error message rather than writing or modifying data.”
In addition, some customers may have had their data corrupted – which is less of a privacy problem and more of a business challenge.
Marketing Cloud is a collection of platforms that allow customers to create personalized marketing campaigns across a variety of channels, ranging from traditional ads to social media to connected things. For instance, digital coolers in a grocery store can capture shoppers’ demographic data and use that information to display customized content and a call to action on an embedded touchscreen. That content might take the form of coupons, or an exhortation to go online for deals and information. Marketing Cloud powers the data collection and Big Data analysis required to follow a given shopper through this “journey,” as Salesforce calls it, and manages the increasingly personalized interactions that a company might have with that shopper, in an automated way.
In other words, Marketing Cloud handles plenty of sensitive information – collected on behalf of customers that Salesforce said “range from business-to-business and nonprofits to some of the largest business-to-consumer companies in the world,” according to its website. These include organizations like Aldo, Dunkin Donuts, GE, HauteLook, Nestle Waters, News Corp Australia and Sony, the company said.
It remains unknown if any of these giants and their customers’ data were impacted; in the alert, Salesforce said that it doesn’t know if or how often data leakage occurred. However, since the issue impacts a subset of the platform, the scale of the issue is presumably somewhat mitigated.
“We are unable to confirm if your data was viewed or modified by another customer,” Salesforce explained in its alert, noting that it was notifying all customers just to be on the safe side. “While Salesforce continues to conduct additional quality checks and testing in relation to this issue, we recommend that you monitor and review your data carefully to ensure the accuracy of your account.”
The company said in its official notice that it spotted the problem on July 18, meaning it waited more than two weeks to alert its customer base.
“When the Salesforce security team became aware of the issue on July 18, 2018, an emergency release (eRelease) was issued the same day to resolve the issue,” the alert said.
Threatpost will update this story as more information becomes available.