Cybercrime , Fraud Management & Cybercrime , Incident & Breach Response

Marketing intelligence platform Klue confirmed that an attacker breached its infrastructure and obtained OAuth access tokens for integrated services, using them to steal customers' Salesforce and Gong data.

See Also: Know Thy Enemy: Threats to Cyber Resilience

Klue on Thursday said it spotted the breach on June 12 and hired CrowdStrike to investigate. The company said the attack resulted in access to a system used to integrate with multiple cloud-based marketing and sales platforms (see: Attackers Steal Salesforce Data From Klue Battlecards Users).

"We immediately took steps to contain the activity, including revoking affected credentials and tokens, removing unauthorized code, disabling potentially impacted integrations, launching a comprehensive investigation and notifying law enforcement," according to a blog post signed by Klue CEO Jason Smith.

"Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service. The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments," Smith said.

The attack first came to light publicly on Wednesday, when Salesforce announced that it had suspended all integrations from the Klue Battlecards app to its platform, following "unauthorized access to a subset of customer data via the app's connection to Salesforce.

"We are continuing to work directly with affected customers and Klue," said Salesforce, stating that "this issue is limited to Klue's app connection and does not arise from a vulnerability within the Salesforce platform."

Vancouver, British Columbia-based Klue offers a competitive intelligence platform, backed by artificial intelligence capabilities, that's designed to help customers run win-loss sales programs. Klue has yet to specify how many organizations fell victim to the attack, but did say it's reviewing its security posture and promised to strengthen it wherever possible.

Multiple Klue customers who are also security firms on Thursday reported falling victim to the Salesforce data theft. These include Huntress, Jamf, Recorded Future and Tanium. All reported finding no signs that attackers accessed anything except for Salesforce data.

Managed security service provider Huntress said Klue rapidly notified customers about the attack and has been publishing direct updates. Huntress also said its employees received ransom notes on Tuesday containing a threat to leak the data unless they began ransomware negotiations within 48 hours.

An extortion group calling itself Icarus, which claims to have been active since April 28, has listed Klue as a victim on its darknet data-leak site. "As you've probably already heard, Klue.com has been impacted by us recently. A number of other companies' Salesforce instances, which were partners to Klue, were exfiltrated," reads a post to the Icarus data leak blog.

The listing demands Klue "contact us for a swift resolution, in order not to affect the companies you work with," adding that if Klue doesn't pay a ransom, the extortionists will continue to shake down individual victims.

Huntress said the ransom emails list a Session Messenger ID for contacting the group which matches the values listed on the Icarus site.

Security experts urge companies to never pay a ransom over any type of data theft, or even to engage in communications with extortionists, warning that that escalatory tactics - including distributed-denial-of-service attacks and swatting executives - can result. The rise of more targeted, invasive pressure tactics appears to parallel a steep decline since 2024 in criminal profits from data-extortion campaigns (see: Victims Are Rebuffing Ransomware Mass Data Theft Campaigns).

Seeing CRM data posted online can be embarrassing, but such data often largely comprises customer and prospect details, and occasionally contract information or intelligence, which often wouldn't be regarded as being highly sensitive.

Even so, the data might still be useful to attacks, leading affected security firms to warn customers to watch out for spam, phishing attacks and other forms of social engineering. "Leveraging the contact information stored within Salesforce," attackers "may pose as legitimate Jamf employees and IT professionals," Jamf said.

How many third-party services Icarus breached using stolen OAuth tokens isn't clear. Huntress said that Klue told customers that it's temporarily suspended integrations between its app and not only Salesforce, but also Chorus, Clari, Gong, Google Drive, HubSpot, SharePoint, Slack App and Zoom. So far, customers have only reported seeing Salesforce as well as data for their revenue intelligence platform Gong get stolen.

Huntress said Klue customers should "consider revoking all active sessions for known-affected services in order to invalidate any potentially compromised sessions."