Klue OAuth breach spreads: 7 firms confirm Salesforce data theft

Key Takeaways

• Klue confirmed attackers stole OAuth tokens on June 12 through a compromised legacy credential, accessing customer Salesforce environments
• Seven companies including Recorded Future, Tanium, Jamf, and Huntress have disclosed data theft from their Salesforce instances
• The Icarus extortion group publicly claimed responsibility and is pressuring victims through the Session messaging platform

The Klue OAuth breach is now a multi-victim incident. Seven enterprise companies have confirmed that attackers stole data from their Salesforce environments after compromising Klue's integration infrastructure. The Icarus extortion group has publicly claimed responsibility.

Klue CEO Jason Smith confirmed the breach this week. On June 12, the company discovered unauthorized activity affecting its integration infrastructure. An attacker exploited a compromised legacy credential tied to an integration service, then used that access to steal OAuth tokens connecting Klue to third-party platforms, particularly Salesforce.

"Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service," Smith wrote in a public statement. "The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments."

Which companies were affected by the Klue breach?

The victim list keeps growing. Recorded Future, Tanium, Jamf, Sprout Social, Gong, Insurity, and Huntress have all disclosed that the breach led to data theft from their Salesforce instances. Most emphasized that the incident did not affect their own platforms, internal systems, or payment data. The attack was confined to CRM data accessible through the compromised OAuth integrations.

Huntress, one of the security firms that investigated the breach, revealed it was also a victim. The stolen data included business contacts, sales communications, pricing information, and other records. That a cybersecurity company fell victim underscores how supply chain attacks through trusted integrations can bypass even security-focused organizations.

How did the OAuth token attack work?

Klue is a competitive intelligence platform that creates "battlecards" for enterprise sales teams. These battlecards help salespeople counter competitor claims during deals. The platform integrates with Salesforce CRM through OAuth tokens, which provide persistent access without requiring repeated logins.

ReliaQuest observed the attackers generating OAuth tokens and using Python scripts to query Salesforce's API for extended periods. The scripts systematically extracted CRM data. Because OAuth tokens grant ongoing access, a single compromised credential can provide an extended window for data exfiltration.

Klue says it immediately revoked affected credentials and tokens, removed unauthorized code, disabled impacted integrations, and engaged CrowdStrike for incident response. The company also notified law enforcement.

Who is the Icarus extortion group?

Icarus is a new extortion operation that has now publicly claimed the Klue attack on its data leak site. "As you've probably already heard, Klue.com has been impacted by us recently. A number of other companies' Salesforce instances, which were partners to Klue, were exfiltrated," the group wrote.

The threat actors are pressuring Klue and affected organizations to contact them through Session, an encrypted messaging platform, to prevent data leaks. BleepingComputer had previously linked the attack to Icarus based on extortion emails sent to affected organizations. Huntress independently confirmed the connection through Session Messenger IDs matching between the extortion emails and the group's leak site.

What should affected organizations do?

Several victim organizations warned that the stolen business contact information could fuel follow-on attacks. Phishing, social engineering, and additional extortion campaigns are likely. Sales data and pricing information could also be valuable for competitors or used to craft convincing business email compromise schemes.

Organizations using Klue should audit their OAuth integrations immediately. Check for unusual API query patterns in Salesforce logs. Review which third-party services hold OAuth tokens to your CRM, and consider whether legacy credentials might still be active.

Klue states there is no evidence that customer content stored directly within the Klue platform was impacted. The breach was limited to third-party integrations. But for enterprises, the distinction matters less than the outcome: their Salesforce data is now in the hands of extortionists.

Frequently Asked Questions

What data was stolen in the Klue OAuth breach?

Attackers stole business contacts, sales communications, pricing information, and other CRM records from victim organizations' Salesforce environments. Data stored directly in Klue's platform was not affected.

How did attackers access Klue's integration infrastructure?

Attackers exploited a compromised legacy credential associated with an integration service. They used this access to steal OAuth tokens that connected Klue to customer Salesforce instances.

Who is the Icarus extortion group?

Icarus is a new extortion operation that publicly claimed responsibility for the Klue breach. The group is demanding contact through the Session encrypted messaging platform to prevent data leaks.

Which companies were affected by the Klue breach?

Confirmed victims include Recorded Future, Tanium, Jamf, Sprout Social, Gong, Insurity, and Huntress. All have disclosed Salesforce data theft stemming from the Klue compromise.

Is my Salesforce data at risk if I use Klue?

Klue has revoked affected credentials and tokens. Contact Klue directly to confirm whether your integration was impacted and review your Salesforce API logs for unusual activity.

Source: BleepingComputer