Managing thousands of customers while maintaining personalized service—this is the challenge keeping business leaders awake at night. Unlike purely transactional businesses, customer-centric organizations build long-term relationships that drive repeat business, referrals, and sustainable growth.
Salesforce disclosed a security vulnerability in Marketing Cloud Engagement that could have exposed CloudPages content and subscriber data—fixed via AES-GCM encryption upgrade on January 21, 2026, with legacy links expired on January 23, 2026.
A security flaw affected link encryption in Marketing Cloud Engagement emails. If exploited, an attacker could have accessed:
Key fact: Salesforce reports no confirmed unauthorized access or data misuse from this vulnerability.
Seven link types were vulnerable:
| Milestone | Date & Time (UTC) |
|---|---|
| AES-GCM encryption deployed | January 21, 2026 at 23:00 |
| Legacy links expired | January 23, 2026 at 21:00 |
Bottom line: Links generated after January 21, 2026 at 23:00 UTC are secure. Links generated before that date were forcibly expired.
Salesforce rolled out AES-GCM (Advanced Encryption Standard - Galois/Counter Mode) encryption across Marketing Cloud Engagement. AES-GCM provides authenticated encryption, combining confidentiality and integrity verification in a single operation—a significant security improvement over legacy methods.
Critical technical change: Encrypted URLs are now longer.
| Before | After |
|---|---|
| 180–255 characters | 400–580 characters |
Text (255 char) to Text Area (Long) for any fields storing Marketing Cloud URLsSet URL lifespan to 60 days maximum. Salesforce recommends this as the default.
By default, expired links redirect to a Salesforce error page. Admins can configure a custom destination URL for better user experience.
Salesforce's statement: "Salesforce has not identified to date any confirmed unauthorized access to or misuse of customer data related to this issue."
However, the precautionary link expiration suggests the vulnerability was serious enough to warrant breaking existing email campaigns—a significant remediation measure.
Open a case through the Salesforce Help portal for technical assistance.
This incident reflects a broader pattern in 2025-2026 Salesforce security: vulnerabilities increasingly target integration points and link handling rather than core platform access. Organizations should audit any system that stores, processes, or validates Marketing Cloud URLs.
Vantage Point specializes in helping financial institutions design and implement client experience transformation programs using Salesforce Financial Services Cloud. Our team combines deep Salesforce expertise with financial services industry knowledge to deliver measurable improvements in client satisfaction, operational efficiency, and business results.
David Cockrum founded Vantage Point after serving as Chief Operating Officer in the financial services industry. His unique blend of operational leadership and technology expertise has enabled Vantage Point's distinctive business-process-first implementation methodology, delivering successful transformations for 150+ financial services firms across 400+ engagements with a 4.71/5.0 client satisfaction rating and 95%+ client retention rate.