In a recent cybersecurity development, at least nine organizations have reported being affected by a supply chain attack targeting the market intelligence platform Klue. This incident, which took place between June 11 and 12, exploited Klue’s integration with Salesforce, leading to unauthorized data access from multiple customer accounts, including several prominent cybersecurity firms.
Details of the Klue Security Breach
Klue confirmed on Friday that the breach occurred through the use of compromised legacy credentials, allowing attackers to infiltrate its systems and compromise Salesforce integrations. The attackers gained access to OAuth tokens that enabled them to connect Klue with third-party platforms, including Salesforce, thereby accessing sensitive data within several connected customer environments.
The company has since revoked the compromised credentials and tokens, disabled integrations across various services, and is conducting an investigation alongside CrowdStrike and law enforcement authorities. According to Klue, the breach was restricted to affected third-party platforms with no evidence of customer content within the Klue platform being compromised.
Impact on Cybersecurity Firms
Among the affected organizations are cybersecurity firms such as HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, and Tanium. Additionally, Insurity and Sprout Social have informed their customers of the breach. These companies have reiterated that the breach was confined to Salesforce instances and did not compromise their internal systems, aligning with Klue’s assessment of the situation.
The hackers managed to extract business information from the targeted organizations’ Salesforce CRMs, which included sales account data and business contact details like names, email addresses, job titles, phone numbers, and business addresses. In response, Salesforce and Gong have both disabled Klue integrations to mitigate further risk.
Speculations and Threats Following the Attack
Huntress has suggested that a threat actor known as Icarus might be behind this attack. Following the breach, Icarus has listed Klue on its Tor-based leak site, claiming responsibility and threatening to release the stolen data unless negotiations are initiated by June 22.
This incident highlights the ongoing vulnerabilities within supply chain integrations and the importance of securing third-party connections. As investigations continue, affected organizations are advised to review and strengthen their security protocols to prevent future breaches.
This cyberattack serves as a critical reminder of the need for robust cybersecurity measures, particularly in the realm of third-party integrations that can become points of vulnerability for data exfiltration.
