Alert Regarding Information Leakage Due to Salesforce Misconfigurations

Cloud-based customer relationship management software giant Salesforce.com is warning some users
of its Marketing Cloud that any data they stored may have been accessed by third parties or
inadvertently

A copy of the alert from San Francisco-based Salesforce, which was distributed by email about 6 p.m.
on Thursday evening, U.S. Pacific Time, states that the error involved the company's REST
application programming interface.

"During a Marketing Cloud release between June 4, 2018, and July 7, a code change was introduced
that, in rare cases, could have caused REST API calls to retrieve or write data from one customer's
account to another inadvertently," according to the alert, a copy of which was obtained by Information
Security Media Group. "Where the issue occurred, the API call may have failed and generated an
error message rather than writing or modifying data."

Salesforce has since posted a knowledge article with a brief overview of the problem.

Bad news for Salesforce customers: The software-as-a-service giant says it does not know if data was
inadvertently altered or maliciously tampered with, although says it's seen no evidence of the latter.

"We have no evidence of malicious behavior associated with this issue," a Salesforce spokesman tells
ISMG.

But the security advisory stops short of saying definitively that such activity did not occur. "We are
unable to confirm if your data was viewed or modified by another customer. As a result, we are
notifying all potentially impacted customers who accessed the Marketing Cloud during this period,"
according to its alert.

"While Salesforce continues to conduct additional quality checks and testing in relation to this issue,
we recommend that you monitor and review your data carefully to ensure the accuracy of your
account," it says.