Sophisticated Supply Chain Attack on Klue Compromises Salesforce Data

Q: Which companies were affected by the recent cybersecurity incident?

At least nine organizations, including several high-profile cybersecurity firms, were affected.

A cybersecurity incident involving Klue, a market intelligence provider, has exposed sensitive data from at least nine organizations, including high-profile cybersecurity firms. The breach highlights the growing threat of supply-chain risk.

A major cybersecurity incident has shaken the adult industry's reliance on market intelligence providers and middleware services, as a sophisticated supply chain attack on Klue compromised Salesforce data across at least nine organizations, including several high-profile cybersecurity firms. The breach, attributed to the Icarus extortion group, highlights the growing danger of supply-chain risk, where hackers target companies that hold the keys to other organizations' cloud databases.

What Happened

The attack on Klue began on June 11-12, when threat actors gained unauthorized access to the company's integration infrastructure using a compromised legacy credential tied to an integration service account. Leveraging this foothold, the attackers pushed a malicious code update to harvest OAuth tokens, which allowed them to connect with customers' third-party platforms, most critically Salesforce. Klue identified the unauthorized activity on June 12 and notified customers the same day, immediately revoking affected credentials and disabling integrations with various cloud services.

Once inside, attackers abused the Salesforce REST API to exfiltrate large volumes of CRM data, executing nearly 1,000 API queries in just 15 minutes during peak activity. The stolen data primarily consisted of business contact information, including names, email addresses, phone numbers, job titles, and some account details, from Salesforce databases.

Background and Context

Klue is a Canadian market intelligence provider that offers software as a service (SaaS) to businesses, helping them track rivals and study their market. The company's tool plugs into customers' own data systems, including Salesforce, which stores sensitive customer information. This type of attack exploits a single point of weakness to target many organizations at once, a growing trend in the threat landscape.

Similar attacks have occurred with Gainsight and Salesloft, showing how a single point of failure can compromise hundreds of organizations. The Icarus extortion group has claimed responsibility for the breach, threatening to publish the stolen data unless a ransom is paid. Klue has engaged incident response firm CrowdStrike and disconnected integrations to limit further damage.

Why it Matters to the Industry

The breach highlights the vulnerability of digital supply chains and the importance of robust security controls in middleware services. Companies that rely on market intelligence providers like Klue must be aware of the risks associated with legacy credentials and inadequate access controls. The incident underscores the need for regular security audits, employee education, and incident response planning to mitigate the impact of such attacks.

The affected companies include several high-profile cybersecurity firms, including Huntress, HackerOne, Jamf, and Recorded Future. These organizations have confirmed that their data was stolen during the breach, but emphasized that their own products and services remained unaffected. The incident serves as a reminder that even strong companies can be hit through a smaller vendor or partner.

What Comes Next

Klue has notified law enforcement and launched an internal investigation into the breach. The company has also engaged CrowdStrike to support with forensics and has provided customers with remediation guidance. Salesforce has disabled Klue Battlecards integration, and affected companies are working to contain the incident and prevent further damage.

Key Facts

The attack on Klue compromised Salesforce data across at least nine organizations, including several high-profile cybersecurity firms.
The breach was attributed to the Icarus extortion group, which threatened to publish the stolen data unless a ransom is paid.
Klue used a compromised legacy credential tied to an integration service account to gain unauthorized access to its integration infrastructure.
Attackers abused the Salesforce REST API to exfiltrate large volumes of CRM data, executing nearly 1,000 API queries in just 15 minutes during peak activity.
The stolen data primarily consisted of business contact information from Salesforce databases.
Klue has engaged incident response firm CrowdStrike and disconnected integrations to limit further damage.