BeyondTrust and LastPass Affected by Klue-Salesforce Security Breach
A cybersecurity firm has confirmed its systems were compromised following a breach linked to the Klue-Salesforce incident, which involved unauthorized access to customer Salesforce environments.
Breach Details and Scope
A threat group known as Icarus exploited a compromised legacy credential to infiltrate Klue’s infrastructure, generating OAuth tokens to gain access to third-party platforms integrated with Klue, including Salesforce. The attackers then accessed connected Salesforce instances and extracted data in bulk using automated scripts.
Threat Group Icarus
Icarus, the alleged threat actor, has listed multiple organizations on its Tor-based leak site as victims of the breach, including Swiss AI communications provider Gms-net. SecurityWeek has sought a response from Gms-net but has not received a statement. Icarus’s website, which previously listed at least four additional undisclosed victims, is currently offline.
Response and Mitigation Efforts
Salesforce and Gong have suspended the Klue integration, while over a dozen organizations have reported impacts. LastPass stated the breach involved standard business contact information and CRM data, including customer names, phone numbers, addresses, support case details, and sales-related records. The company emphasized that its products, services, and infrastructure remained unaffected, with no evidence of Gong-related data exposure.
Actions Taken by Affected Entities
LastPass has terminated access to Klue, revoked compromised tokens, reported the incident to law enforcement, and initiated a joint investigation with Klue and Salesforce. BeyondTrust reported the theft of business contact and sales-related information from its Salesforce instance, though this notification was not publicly disclosed.
Affected Entities and Impact
Additional firms affected include 8 8, Pendo, HackerOne, Huntress, Insurity, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium. Huntress estimates that numerous Klue customers may have been impacted, with more organizations expected to announce breaches.
Organizations Impacted
- 8 8
- Pendo
- HackerOne
- Huntress
- Insurity
- Jamf
- OneTrust
- Recorded Future
- Snyk
- Sprout Social
- Tanium
Security Recommendations
The incident highlights vulnerabilities in third-party integrations and the risks associated with compromised credentials. Organizations are advised to review their Salesforce configurations, monitor for suspicious activity, and ensure robust access controls are in place. The full scope of the breach remains under investigation, with further updates anticipated as more details emerge.
“Huntress estimates that numerous Klue customers may have been impacted, with more organizations expected to announce breaches,” said Huntress.
About Author
English