Several companies have disclosed that they were affected by a breach of business intelligence provider Klue, including a number of cybersecurity firms.
Huntress, Recorded Future, Jamf and Tanium have all acknowledged using Klue’s intelligence services and confirmed that the breach enabled unauthorized access to their Salesforce accounts via stolen OAuth tokens used for Klue integrations.
Klue Battlecards Breach and Salesforce OAuth Token Abuse
According to an official statement published by Klue’s CEO, Jason Smith, on June 19, the company detected an intrusion on June 12.
An unauthorized actor gained access to Klue’s integration infrastructure, notably the Klue Battlecards app, through a compromised legacy credential. They used this access to obtain OAuth tokens – a secure digital key that allows an application to access a firm’s data on another service without needing a password – and connect Klue to third-party platforms, including Salesforce.
They then accessed Klue customer data and leveraged the stolen OAuth tokens to impersonate Klue within those connected Salesforce environments, exfiltrating sensitive customer information before the activity was detected and contained.
Klue’s Smith said the company immediately responded by revoking affected credentials and tokens, removing unauthorized code and disabling potentially impacted integrations.
Klue also notified law enforcement and launched an internal investigation and comprehensive review of its security controls. It has now engaged CrowdStrike to support with forensics.
Customers have been regularly updated about what happened and provided with remediation guidance through various channels.
Salesforce also notified the public on June 17 it has disabled Klue Battlecards integration.
Klue Breach Affects Cybersecurity Firms
In customer-facing blog posts, Huntress, Recorded Future, Jamf and Tanium confirmed that while the breach originated through Klue’s infrastructure, their own products and services remained unaffected.
Tanium reassured customers that “there was no impact on our ability to serve them.”
Meanwhile Jamf stated, “We have no evidence of lateral movement and have contained the incident on our end.”
However, Huntress warned that customer data may have been compromised, including business names, products trialed/used, subscription details, business contact information and marketing and sales communications.
Jamf also warned customers about potential phishing campaigns leveraging the stolen Salesforce data, advising vigilance against malicious actors posing as Jamf employees.
Recorded Future disabled Klue’s integration and conducted a forensic analysis, emphasizing the need for continuous monitoring of third-party integrations. The company said, “This incident underscores the critical need for continuous monitoring of third-party integrations, especially those with privileged access to sensitive data.”
ReliaQuest was the first to detect the suspicious and alerted Klue. However, the company told Infosecurity that it does not use Klue and was not affected by the breach.
Commenting on how the attackers exploited OAuth tokens to pivot into connected Salesforce environments, the firm said: “The adversary’s ability to move laterally from a compromised integration to a customer’s CRM demonstrates the evolving tactics of modern threat actors.”
Non-cybersecurity firms were also affected, including insurance service provider Insurity and social media analytics platform Sprout Social.
The breach was claimed on June 19 by Icarus, a recently identified cyber extortion group. Icarus has just three victims listed on its data leak site, according to ransomware tracking website Ransomware.live.
On June 20, the group issued a deadline message to all Klue clients it claims to have contacted, warning that they have until June 22 to respond before their data is released.
This article was updated on June 22 to add ReliaQuest’s comments, highlighting the company has not been affected by the Klue breach.
Read now: Qualys, Tenable Latest Victims of Salesloft Drift Hack
