The market intelligence platform Klue has confirmed a security incident that allowed threat actors to steal OAuth tokens used to connect to customers' Salesforce environments, affecting hundreds of organizations including several cybersecurity companies.

What Happened

The attack unfolded between June 11 and 12, when hackers used compromised legacy credentials to access the Klue platform, obtain OAuth tokens for customers' Klue integrations, and exfiltrate data in bulk. Salesforce disabled the Klue integration on June 17, and its status page shows it has yet to re-enable it. Gong also disabled the integration.

According to a statement published by Klue CEO Jason Smith, the company discovered unauthorized activity on June 12 affecting part of Klue's integration infrastructure. The investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service and used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce.

Klue says there is currently no evidence that customer content stored directly within the Klue platform was impacted and that the incident was limited to third-party integrations. The company has revoked affected credentials and tokens, removed unauthorized code, disabled impacted integrations, launched an investigation, and notified law enforcement. Klue also confirmed it engaged CrowdStrike to assist with the response.

Background and Context

Klue provides market intelligence to more than 250,000 users worldwide, and its platform is integrated with various third-party services, including Salesforce. The OAuth tokens stolen by hackers were used to connect Klue with customers' Salesforce environments, allowing the attackers to access sensitive data.

The incident has been linked to a new extortion group called Icarus, which claimed responsibility for the hack via an entry on their dark web leak site. Icarus is trying to extort Klue and has also warned companies that if the platform doesn't pay, they should reach out to them as well to avoid having the stolen data leaked.

Several cybersecurity companies have confirmed that they were affected by the breach, including Huntress, Recorded Future, Snyk, Jamf, Gong, HackerOne, Kudelski Security, and Sprout Social. These companies reported that their Salesforce data was accessed and downloaded by hackers, but there is no indication that any of their products or infrastructure were compromised.

Why it Matters to the Industry

The Klue breach highlights the importance of secure integration practices in the adult industry. Many platforms rely on third-party integrations to provide services to customers, and a single vulnerability can have far-reaching consequences. The incident also underscores the need for robust security measures, including regular monitoring and incident response planning.

For adult-industry platform operators, this breach serves as a reminder of the importance of secure integration practices and the potential risks associated with relying on third-party services. It is essential to implement robust security measures, monitor integrations closely, and have an incident response plan in place to mitigate the impact of such incidents.

What Comes Next

Klue has disconnected all its integrations with Salesforce, Gong, HubSpot, SharePoint, and other services. The company is working with CrowdStrike to investigate the incident further and notify affected customers. Icarus has threatened to leak the stolen data unless a ransom is paid, but it is unclear whether the group will follow through on this threat.

The incident has also raised questions about the security of Salesforce integrations and the potential for similar breaches in the future. As the adult industry continues to rely on third-party services, it is essential to prioritize secure integration practices and implement robust security measures to prevent such incidents from occurring.

Key Facts

  • Klue confirmed a security incident that allowed threat actors to steal OAuth tokens used to connect to customers' Salesforce environments.
  • The attack unfolded between June 11 and 12, when hackers used compromised legacy credentials to access the Klue platform.
  • Several cybersecurity companies have confirmed that they were affected by the breach, including Huntress, Recorded Future, Snyk, Jamf, Gong, HackerOne, Kudelski Security, and Sprout Social.
  • Klue has disconnected all its integrations with Salesforce, Gong, HubSpot, SharePoint, and other services.
  • The incident has been linked to a new extortion group called Icarus, which claimed responsibility for the hack via an entry on their dark web leak site.