A compromised integration at competitive-intelligence platform Klue let attackers steal OAuth tokens and pull Salesforce CRM data from multiple customers. A new extortion group called Icarus is now demanding payment.
Competitive-intelligence vendor Klue has confirmed a security incident that spread downstream into its customers' Salesforce environments, according to a statement from CEO Jason Smith and investigations published by Huntress and ReliaQuest. Klue says an attacker gained access through a compromised legacy credential tied to an integration service, then obtained OAuth tokens that connect Klue to third-party platforms including Salesforce, and reached data inside a number of connected customer environments.
Huntress, which was itself affected, dates the start of the activity to June 11, when the attacker pushed a code update capable of harvesting the OAuth tokens Klue customers use to link the platform to their own systems. The credential involved was a long-dormant but still active key originally created for a third-party integration prototype that Klue later abandoned, Huntress reports. Klue says it identified the unauthorized activity on June 12 and moved to contain it, revoking affected tokens, removing the malicious code, disabling integrations, engaging CrowdStrike, and notifying law enforcement.
Once inside, the attacker used the stolen tokens to query customers' Salesforce instances directly through the REST API. ReliaQuest observed automated extraction running for roughly 24 hours, including a burst of close to 1,000 queries in 15 minutes, with scripts identifiable by Python-urllib user agents. Salesforce disabled the Klue Battlecards app on its platform on June 17, stating the issue was limited to Klue's app connection and not a flaw in Salesforce itself. Klue separately disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.
The stolen material appears to be sales and contact data rather than secrets. Huntress says the data copied from its Salesforce account included business contacts, price quotes, sales communications, and competitive reports, and that no threat intelligence, customer telemetry, passwords, or payment card data was taken. Recorded Future confirmed its own Salesforce data was affected, including client contact names, email addresses, and possibly some contract information. Huntress says Tanium and Jamf have also disclosed impact, and warns that more companies are likely to come forward as they finish reviewing logs.
Get the ICD Newsletter
Subscribe for source-forward cyber news, OSINT notes, breach updates, and analysis. Have evidence or a lead? Send it to ICD.