Expanding Fallout: Klue’s Growing List of OAuth Breach Victims

A recent security breach at market intelligence platform Klue has resulted in the theft of OAuth tokens used to access customers’ Salesforce environments by threat actors belonging to the new “Icarus” extortion group.

Cybersecurity firms Huntress and ReliaQuest have revealed that attackers exploited compromised Klue Battlecards integrations to steal Salesforce CRM data from multiple organizations.

Klue CEO Jason Smith confirmed the unauthorized activity on June 12, stating that it affected a portion of Klue’s integration infrastructure. The company has been working with cybersecurity experts to investigate the incident and support affected customers.

Smith mentioned that the attacker gained access through a compromised legacy credential associated with an integration service, allowing them to obtain OAuth tokens used to connect Klue with third-party platforms like Salesforce.

Klue reassured its customers that no data stored directly within the Klue platform was compromised, and the incident was limited to third-party integrations.

The company took immediate action by revoking affected credentials and tokens, removing unauthorized code, disabling impacted integrations, launching an investigation, and engaging CrowdStrike for assistance.

ReliaQuest and Huntress discovered that the attackers used stolen OAuth credentials to access customer Salesforce environments and conduct data theft on a large scale.

Huntress disclosed that its own Salesforce environment was affected by the breach, leading to the theft of business contacts, sales communications, pricing information, and other records.

Icarus claims responsibility

The Icarus extortion group, previously linked to the incident by BleepingComputer and Huntress, has now publicly claimed responsibility on their data leak site.

The threat actors are pressuring Klue and affected organizations to contact them through the Session messaging platform to prevent the leaking of stolen data.

Multiple organizations, including Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity, have confirmed being victims of the attack, with data stolen from their Salesforce instances.

While internal systems were not affected, the stolen business contact information poses a risk for potential phishing, social engineering, and extortion attempts, prompting organizations to advise customers to remain vigilant.

Security teams detect only 14% of successful attacks and miss 54% of them. Ensure threats don’t slip through undetected by testing your SIEM and EDR rules with Picus breach and attack simulation. Download the whitepaper now.