Code change could have exposed clients’ CRM data

Salesforce has warned customers that their information may have been shared with other customers’ accounts, due to an API error.

In a security advisory, the CRM company says it became aware of the issue on the 18t July. The error impacted “a subset” of Marketing Cloud customers using the Marketing Cloud Email Studio and Predictive Intelligence products.

In a separate article, Salesforce says that the error was introduced with a code change that it rolled out to Marketing Cloud between the 4 June and 7t July. The change ‘may have caused a small subset of REST API calls to improperly retrieve or write data from one customer’s account to another’.

This is concerning as Marketing Cloud is a CRM product, which Salesforce clients’ use to store customer and sales prospect contact details, as well as other ‘crown jewels’ of business.  Although the error was resolved on the same day, via an emergency release, some customers may still have experienced data loss.

In an email to customers, seen by Security Information Group, Salesforce said: “Where the issue occurred, the API call may have failed and generated an error message rather than writing or modifying data’.  Although there is “no evidence of malicious behavior associated with this issue”, that doesn’t mean that it didn’t occur – just that the SaaS giant isn’t aware of it if it did.

The firm added: “We are unable to confirm if your data was viewed or modified by another customer. As a result, we are notifying all potentially impacted customers who accessed the Marketing Cloud during this period’.

Any organization whose users accessed the affected products – through either the online UI or REST API calls – may have had their Marketing Cloud data corrupted, Salesforce warned.

Source:  The Inquirer