Klue Hack Exposes Cybersecurity Firms' Data Breach Impact

Post Views: 15

At least nine organizations have disclosed the effects of a supply chain attack targeting Klue, compromising Salesforce data.

Overview of the Supply Chain Attack

The breach occurred between June 11 and 12, compromising Klue’s integration with Salesforce and leading to the unauthorized extraction of data from the Salesforce instances of multiple Klue customers, including several cybersecurity firms. Klue confirmed that attackers exploited compromised legacy credentials to infiltrate its systems, enabling them to obtain OAuth tokens used for connecting Klue to third-party platforms like Salesforce. This access allowed the threat actors to retrieve data within the affected customer environments.

Timeline of the Breach

The attackers accessed business information from the Salesforce CRMs of the affected organizations, including sales account details and contact data such as names, addresses, job titles, phone numbers, and business addresses. Salesforce suspended the Klue integration following the incident, and the revenue intelligence platform Gong took similar action on Friday, stating that the attackers leveraged the Klue integration to access internal licensed user data.

Actions Taken by Klue and Partners

Klue has since revoked the compromised credentials and tokens, disabled integrations across multiple services, and is collaborating with CrowdStrike and law enforcement to investigate the incident. Klue stated that the breach was confined to the affected third-party platforms and that no customer data stored directly within the Klue platform was compromised.

Responses from Affected Organizations

All affected organizations emphasized that the intrusion was restricted to Salesforce instances and did not affect their internal systems, as noted by Klue in its incident report. Gong clarified that there was no direct impact on call recordings or customer transcripts, though user names, business titles, and email addresses were among the data accessed.

Implications and Lessons Learned

The breach has prompted heightened scrutiny of third-party integrations and credential management practices, underscoring the risks associated with supply chain vulnerabilities. Huntress, in its analysis, linked the attack to a threat actor known as Icarus. Subsequently, Icarus added Klue to its Tor-based leak site, asserting responsibility for the breach and threatening to release the stolen data from Klue customers’ Salesforce instances by June 22 unless negotiations with Klue and the affected organizations occur.

Klue confirmed that attackers exploited compromised legacy credentials to infiltrate its systems, enabling them to obtain OAuth tokens used for connecting Klue to third-party platforms like Salesforce. Klue stated that the breach was confined to the affected third-party platforms and that no customer data stored directly within the Klue platform was compromised.

Gong clarified that there was no direct impact on call recordings or customer transcripts, though user names, business titles, and email addresses were among the data accessed.

Huntress, in its analysis, linked the attack to a threat actor known as Icarus. Subsequently, Icarus added Klue to its Tor-based leak site, asserting responsibility for the breach and threatening to release the stolen data from Klue customers’ Salesforce instances by June 22 unless negotiations with Klue and the affected organizations occur.

Summary of Affected Organizations

Nine Klue customers have reported impacts from the incident, including cybersecurity firms such as HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, and Tanium. Additional entities like Insurity and Sprout Social also informed their clients of the breach.