Klue, a market intelligence platform, was breached on June 11 through a single dormant API credential originally created for an abandoned integration prototype.
Attackers pushed malicious code that harvested OAuth tokens from every customer connected to Klue's Battlecards integration.
Those tokens gave direct access to Salesforce, HubSpot, SharePoint, Zoom, Gong, Slack — and the attackers used them for 24 hours of bulk data extraction before anyone noticed.
The victim list reads like a who's who of enterprise security: Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, Insurity.
Huntress confirmed business contacts, price quotes, and sales communications were stolen. No threat data. No infrastructure. Just the CRM data your sales team lives in.
Salesforce disabled the Klue app connection on June 16. The extortion group "Icarus" — active since April — began emailing victims with 48-hour deadlines.
This is the third major OAuth-abuse campaign targeting Salesforce integrations in 18 months. Drift. Gainsight. Now Klue. Same pattern. Different vendor. Same blind spot.
Your CISO maps network boundaries. Your SOC monitors endpoints. But nobody is watching the OAuth tokens your SaaS integrations quietly generate and store.
Audit every third-party app with OAuth access to your core platforms today. Revoke tokens you cannot account for. The next breach won't come through your firewall. It'll come through a integration your sales team installed without asking.
SOURCE: https://www.huntress.com/blog/klue-breach-investigation
VERIFIED: Huntress blog (June 18), BleepingComputer (June 18-19), Help Net Security (June 19), ReliaQuest (June 17)
SIGNAL: Supply chain attacks on SaaS integrations are now the primary vector for enterprise data theft. Your OAuth token inventory is your new attack surface.
Enterprise AI Impact
0 Comments