Approximately two dozen companies using Klue have reported that their Salesforce systems were compromised in a recent supply chain attack. This incident occurred between June 11 and 12, when cyber attackers exploited outdated credentials to infiltrate Klue’s market intelligence platform. The attackers managed to acquire OAuth tokens tied to Klue’s customer integrations, allowing them to exfiltrate data in significant volumes.
Timeline of the Attack
The breach led to Salesforce deactivating the Klue integration on June 17, and this function remains disabled according to their status page. Gong also followed suit in disabling the integration. Among the impacted entities are AlertMedia, Blackbaud, Camunda, Cresta, Deel, Lucanet, Link11, and Tines. Although Klue serves hundreds of clients, the extent of the damage could be broader, though further notifications have not been observed by SecurityWeek.
It is important to note that some Klue customers, such as Autodesk, do not employ the Salesforce integration and thus were not affected by this breach.
Hacker Group Involvement
A hacker group named Icarus has taken responsibility for the attack, listing Klue and several of its clients on a Tor-based leak site. The group threatens to publish the stolen data, which mainly includes business contact and support information unless their ransom demands are met. On Monday, Klue acknowledged the data breach and announced an ongoing investigation, though further public updates have not been issued.
Meanwhile, Klue has privately informed its clients of ongoing communications with the attackers, who have begun erasing the stolen data, as reported by TechCrunch. Icarus’s leak site has been down for several days, possibly due to negotiations, hinting that Klue might have complied with the ransom demands.
Secondary Breach and Ongoing Risks
In a surprising turn of events, Klue reportedly informed its clients that Icarus was themselves hacked, leading to the stolen data falling into the hands of a different threat actor. This new group is allegedly conducting its own extortion attempts, although it appears they only managed to seize sample data.
The incident is believed to affect 195 Klue clients, but no other extortion group besides Icarus has publicly claimed responsibility for the data stolen during the initial Klue breach. SecurityWeek has reached out to Klue for further comments and will provide updates if a response is received.
Related breaches highlight the ongoing challenges in cybersecurity, with recent disclosures from companies like London Hydro, Xsolis, Texas Parks & Wildlife, and Kodak, emphasizing the widespread nature of such threats.
