A supply chain attack targeting Klue, a competitive intelligence platform, has lead to the theft of Salesforce data from multiple entities, including several cybersecurity vendors.
Klue disclosed that threat actors had gained unauthorized access to part of its integration infrastructure in June after compromising a legacy credential linked to a backend system.
“Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service. The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce,” Klue said.
According to incident investigations published by Huntress and other affected companies, the stolen tokens were then used to access customer Salesforce environments and exfiltrate CRM data directly from victim systems.
Huntress said the attack began around June 11 and involved unauthorized code updates to Klue’s integration services.
Leveraging trusted application permissions
Several security companies have confirmed they were affected. Huntress, Recorded Future, and Tanium all disclosed that data from their Salesforce environments was accessed via the compromised Klue integration. Recorded Future said it informed customers and partners after determining that information stored within its Salesforce instance may have been exposed.
Tanium said the incident did not involve a compromise of its internal systems, but rather the unauthorized access and exfiltration of CRM data stored in Salesforce through the Klue-connected application.
Security researchers noted that the attack is another example of malefactors targeting SaaS integrations and OAuth connections instead of attacking cloud platforms directly.
The compromise allowed attackers to leverage trusted application permissions to access customer data without exploiting a vulnerability in Salesforce itself.
“We immediately took steps to contain the activity, including revoking affected credentials and tokens, removing unauthorized code, disabling potentially impacted integrations, launching a comprehensive investigation, and notifying law enforcement,” Klue said in an update.
Salesforce has reportedly disabled the affected Klue integration while investigations continue.
Organizations that used Klue’s Salesforce integration have been advised to revoke and rotate OAuth tokens, review connected applications, and investigate Salesforce audit logs for suspicious activity.
This method is becoming the dominant way data leaves the enterprise
Sunil Gottumukkala, CEO, at Averlon, says: “This is the same pattern we saw with the Salesloft Drift attack, where stolen OAuth tokens were used to pull data from Salesforce and Google Workspace. This method is becoming the dominant way data leaves the enterprise: not through your perimeter, but through an approved SaaS integration.
“A compromised legacy credential at Klue gave attackers OAuth tokens into hundreds of customers’ Salesforce instances, which they used to impersonate the app and exfiltrate competitive intelligence and customer data. Your security is now only as strong as the third-party apps you have granted standing access to your CRM, and most teams don’t actively track those integrations.”
Gottumukkala added: “The immediate work is to inventory every OAuth integration into your SaaS, revoke what you don’t need, scope what you keep, and watch for anomalous token activity. And since the stolen data includes contact and sales detail, expect targeted phishing next. Warn your customers and employees before the attacker reaches them.”
John Strand, Owner of Black Hills Information Security, comments: “This is just a preview of the coming SaaS apocalypse. As AI accelerates offensive cyber operations across threat actors, from nation-states to militias, the risk is no longer limited to organizations building new AI-driven SaaS applications. Attackers are increasingly turning existing SaaS platforms into centralized points of failure, allowing them to exploit multiple customers simultaneously.”
This particular attack pattern has been successfully commoditized
Denis Calderone, CTO at Suzu Labs, says: “Three Salesforce OAuth supply chain attacks in under a year, from two different threat actors, using the same playbook. Salesloft, Gainsight, and now Klue. Icarus is a brand-new extortion group, active since late April, and they executed the exact same technique that ShinyHunters ran through Gainsight back in November. Compromise the integration vendor, harvest OAuth tokens, query the Salesforce REST API with automated scripts, exfiltrate CRM data in bulk.”
Calderone says at this point, we have to accept that this particular attack pattern has been successfully commoditized. “What’s got our attention is how many security vendors are on the victim list. Huntress, Recorded Future, Tanium, HackerOne, Kudelski Security, Snyk, Jamf. The data sitting in their Salesforce instances includes competitive battlecards, pricing strategy, customer contacts, deal sizes, and sales communications. We expect to see some highly targeted spear-phishing campaigns as a result of this data. The attacker has access to real data that only an insider would know.
He says it’s important to highlight the root cause here. “Huntress traced initial access back to a single credential Klue created for a prototype third-party integration they never actually deployed. One forgotten API key got the attacker into Klue’s backend. From there, they pushed a malicious code update that harvested the OAuth tokens of all connected customers at once. So one dormant credential that nobody remembered existed opened the door to 300 organizations’ CRM environments in a single operation.
Rotate every OAuth token tied to that integration
Calderone advises Klue customers to rotate every OAuth token tied to that integration, and not limit themselves to Salesforce. “Klue also integrated with HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. The confirmed bulk exfiltration targeted Salesforce, but the token harvest covered all connected platforms.
“If Klue had an OAuth connection into your Slack, your Google Drive, or anything else, treat those tokens as compromised and rotate them now. Every organization needs to audit connected apps for dormant integration credentials and building automated alerts on abnormal API query volume from third-party services. If a connected app that normally syncs a few hundred records starts pulling thousands of queries in minutes, that’s your early warning.”
Specialized business platforms become aggregate targets for corporate espionage
Damon Small, Board of Directors at Xcape, adds: “This third-party compromise highlights a severe operational risk where specialized business platforms become aggregate targets for corporate espionage, exposing the strategic playbooks of the cybersecurity sector itself. By exploiting Salesforce-linked integrations, attackers bypassed external perimeters to directly access sensitive competitive analysis, product intelligence, and customer data.”
Small says, for security executives, this incident demonstrates that non-core software vendors often possess highly privileged pathways into primary data repositories. “To contain this exposure, organizations must immediately catalog all API and OAuth integrations connected to their central Customer Relationship Management systems. Teams should prioritize revoking obsolete or over-privileged third-party tokens, implementing strict scoping boundaries on automated data access, and establishing anomaly detection baselines for bulk data exports conducted by integrated applications.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.