Klue OAuth Breach Drives Salesforce Data Theft
The market intelligence platform Klue has confirmed a breach of part of its integration infrastructure. Attackers obtained OAuth tokens, the digital keys that grant access between services. With those keys, they slipped into the Salesforce environments of several customers. The Icarus extortion group claimed the attack. It also demanded contact through the Session messenger to stop the release of stolen data.
How the Attack Unfolded
Klue spotted the suspicious activity on June 12. The investigation showed that the attackers used compromised legacy credentials tied to Klue’s integration service. That access yielded OAuth tokens for third-party platforms, Salesforce among them. From there, the intruders explored and copied data from a number of customer accounts.
What Klue Did Next
Klue says it found no sign of access to data stored directly on its own platform. Instead, the attack touched only third-party integrations. In response, the company revoked the compromised credentials and tokens. It also removed the unauthorized code, disabled the affected connections, and launched an internal investigation. Furthermore, Klue notified law enforcement and brought in CrowdStrike to help analyze the incident.
The Data Theft Comes to Light
Security researchers first noticed the mass data theft while examining the Klue Battlecards integrations. The attackers used stolen OAuth credentials to reach the Salesforce accounts of Klue customers. Then they created new access tokens. For hours, they fired requests at the Salesforce API through Python scripts, pulling out large volumes of information.
Who Was Affected
Huntress was among the victims. From its Salesforce instance, the attackers took business contacts, sales correspondence, pricing details, and other records. Later, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity reported affected Salesforce environments too.
Almost every organization says the leak stayed limited to Salesforce data. Their own platforms, internal infrastructure, payment information, and core corporate systems escaped harm. However, the exported records could still hold names, work email addresses, phone numbers, negotiation details, and commercial information.
The Icarus Extortion Group
Icarus publicly claimed that it stole data not only from Klue, but also from several companies linked to the platform. Before that statement, researchers had already tied the group to ransom emails sent to the victims. They confirmed the link through Session identifiers and the Icarus leak site.
What Comes Next for Victims
The companies are warning customers and partners about follow-on risks. These include phishing emails, calls from people posing as staff, social engineering attempts, and fresh ransom demands. The Salesforce data gives attackers strong material for convincing messages. With it, they can cite real deals, name colleagues, and reference prices, product names, and negotiation stages.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
