Klue disclosed a cybersecurity incident affecting hundreds of customers including Recorded Future, Tanium, HackerOne, Kudelski Security,Insurity, and Huntress, after attackers gained unauthorized access to data stored within the company’s environment. That you know. But you may not know is that the company may have used a credential that dates back to 2022:
Market research company Klue has confirmed that a credential dating back to 2022, which was part of a limited pilot, was used by hackers earlier this month to steal reams of data from its corporate customers, including several cybersecurity companies.
The new detail suggests that Klue may have had years to decommission the credential that was used for the pilot, raising questions about the company’s security posture and what actions it could have taken to prevent the breaches of its customers’ data.
Sunil Gottumukkala, CEO, Averlon had this to say:
“This is the same pattern we saw with the Salesloft Drift attack, where stolen OAuth tokens were used to pull data from Salesforce and Google Workspace. This method is becoming the dominant way data leaves the enterprise: not through your perimeter, but through an approved SaaS integration.
“A compromised legacy credential at Klue gave attackers OAuth tokens into hundreds of customers’ Salesforce instances, which they used to impersonate the app and exfiltrate competitive intelligence and customer data. Your security is now only as strong as the third-party apps you have granted standing access to your CRM, and most teams don’t actively track those integrations.
“The immediate work is to inventory every OAuth integration into your SaaS, revoke what you don’t need, scope what you keep, and watch for anomalous token activity. And since the stolen data includes contact and sales detail, expect targeted phishing next. Warn your customers and employees before the attacker reaches them.”
John Strand, Owner, Black Hills Information Security, Inc. provided this comment:
“This is just a preview of the coming SaaS apocalypse. As AI accelerates offensive cyber operations across threat actors, from nation-states to militias, the risk is no longer limited to organizations building new AI-driven SaaS applications. Attackers are increasingly turning existing SaaS platforms into centralized points of failure, allowing them to exploit multiple customers simultaneously.”
Denis Calderone, CTO, Suzu Labs added this comment:
“Three Salesforce OAuth supply chain attacks in under a year, from two different threat actors, using the same playbook. Salesloft, Gainsight, and now Klue. Icarus is a brand-new extortion group, active since late April, and they executed the exact same technique that ShinyHunters ran through Gainsight back in November. Compromise the integration vendor, harvest OAuth tokens, query the Salesforce REST API with automated scripts, exfiltrate CRM data in bulk. At this point we have to accept that this particular attack pattern has been successfully commoditized.”
“What’s got our attention is how many security vendors are on the victim list. Huntress, Recorded Future, Tanium, HackerOne, Kudelski Security, Snyk, Jamf. The data sitting in their Salesforce instances includes competitive battlecards, pricing strategy, customer contacts, deal sizes, and sales communications. We expect to see some highly targeted spear-phishing campaigns as a result of this data. The attacker has access to real data that only an insider would know.
“We feel it important to highlight the root cause here. Huntress traced initial access back to a single credential Klue created for a prototype third-party integration they never actually deployed. One forgotten API key got the attacker into Klue’s backend. From there, they pushed a malicious code update that harvested the OAuth tokens of all connected customers at once. So one dormant credential that nobody remembered existed opened the door to 300 organizations’ CRM environments in a single operation.
“If you’re a Klue customer, rotate every OAuth token tied to that integration, and don’t limit yourself to Salesforce. Klue also integrated with HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. The confirmed bulk exfiltration targeted Salesforce, but the token harvest covered all connected platforms.
“If Klue had an OAuth connection into your Slack, your Google Drive, or anything else, treat those tokens as compromised and rotate them now. Every org needs to audit connected apps for dormant integration credentials and building automated alerts on abnormal API query volume from third-party services. If a connected app that normally syncs a few hundred records starts pulling thousands of queries in minutes, that’s your early warning.”
Damon Small, Board of Directors, Xcape, Inc. said this:
“This third-party compromise highlights a severe operational risk where specialized business platforms become aggregate targets for corporate espionage, exposing the strategic playbooks of the cybersecurity sector itself. By exploiting Salesforce-linked integrations, attackers bypassed external perimeters to directly access sensitive competitive analysis, product intelligence, and customer data.
“For security executives, this incident demonstrates that non-core software vendors often possess highly privileged pathways into primary data repositories. To contain this exposure, organizations must immediately catalog all API and OAuth integrations connected to their central Customer Relationship Management systems. Teams should prioritize revoking obsolete or over-privileged third-party tokens, implementing strict scoping boundaries on automated data access, and establishing anomaly detection baselines for bulk data exports conducted by integrated applications.
“Critical Takeaways
- Security leaders must immediately audit and inventory all active OAuth tokens and connected applications within their Customer Relationship Management environments to identify over-privileged third-party access.
- Organizations should enforce strict data scoping and API restriction policies to limit the volume of proprietary competitive intelligence and customer telemetry accessible by integrated platforms.
- Security operations teams need to establish baseline detection rules specifically tailored to identify anomalous, high-volume data exports or API queries originating from external business applications.
“It is tough to sell threat visibility to your customers when your own corporate battlecards are exposed because you did not have a Klue.”
I guess that it is far past time for you to audit your environment to ensure that you’re not the next Klue. Because it is much easier to not be the next Klue that it is for me to write about you.
Related
This entry was posted on June 23, 2026 at 4:58 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
Klue says hackers stole credential from 2022 that led to pwnage
Klue disclosed a cybersecurity incident affecting hundreds of customers including Recorded Future, Tanium, HackerOne, Kudelski Security,Insurity, and Huntress, after attackers gained unauthorized access to data stored within the company’s environment. That you know. But you may not know is that the company may have used a credential that dates back to 2022:
Market research company Klue has confirmed that a credential dating back to 2022, which was part of a limited pilot, was used by hackers earlier this month to steal reams of data from its corporate customers, including several cybersecurity companies.
The new detail suggests that Klue may have had years to decommission the credential that was used for the pilot, raising questions about the company’s security posture and what actions it could have taken to prevent the breaches of its customers’ data.
Sunil Gottumukkala, CEO, Averlon had this to say:
“This is the same pattern we saw with the Salesloft Drift attack, where stolen OAuth tokens were used to pull data from Salesforce and Google Workspace. This method is becoming the dominant way data leaves the enterprise: not through your perimeter, but through an approved SaaS integration.
“A compromised legacy credential at Klue gave attackers OAuth tokens into hundreds of customers’ Salesforce instances, which they used to impersonate the app and exfiltrate competitive intelligence and customer data. Your security is now only as strong as the third-party apps you have granted standing access to your CRM, and most teams don’t actively track those integrations.
“The immediate work is to inventory every OAuth integration into your SaaS, revoke what you don’t need, scope what you keep, and watch for anomalous token activity. And since the stolen data includes contact and sales detail, expect targeted phishing next. Warn your customers and employees before the attacker reaches them.”
John Strand, Owner, Black Hills Information Security, Inc. provided this comment:
“This is just a preview of the coming SaaS apocalypse. As AI accelerates offensive cyber operations across threat actors, from nation-states to militias, the risk is no longer limited to organizations building new AI-driven SaaS applications. Attackers are increasingly turning existing SaaS platforms into centralized points of failure, allowing them to exploit multiple customers simultaneously.”
Denis Calderone, CTO, Suzu Labs added this comment:
“Three Salesforce OAuth supply chain attacks in under a year, from two different threat actors, using the same playbook. Salesloft, Gainsight, and now Klue. Icarus is a brand-new extortion group, active since late April, and they executed the exact same technique that ShinyHunters ran through Gainsight back in November. Compromise the integration vendor, harvest OAuth tokens, query the Salesforce REST API with automated scripts, exfiltrate CRM data in bulk. At this point we have to accept that this particular attack pattern has been successfully commoditized.”
“What’s got our attention is how many security vendors are on the victim list. Huntress, Recorded Future, Tanium, HackerOne, Kudelski Security, Snyk, Jamf. The data sitting in their Salesforce instances includes competitive battlecards, pricing strategy, customer contacts, deal sizes, and sales communications. We expect to see some highly targeted spear-phishing campaigns as a result of this data. The attacker has access to real data that only an insider would know.
“We feel it important to highlight the root cause here. Huntress traced initial access back to a single credential Klue created for a prototype third-party integration they never actually deployed. One forgotten API key got the attacker into Klue’s backend. From there, they pushed a malicious code update that harvested the OAuth tokens of all connected customers at once. So one dormant credential that nobody remembered existed opened the door to 300 organizations’ CRM environments in a single operation.
“If you’re a Klue customer, rotate every OAuth token tied to that integration, and don’t limit yourself to Salesforce. Klue also integrated with HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. The confirmed bulk exfiltration targeted Salesforce, but the token harvest covered all connected platforms.
“If Klue had an OAuth connection into your Slack, your Google Drive, or anything else, treat those tokens as compromised and rotate them now. Every org needs to audit connected apps for dormant integration credentials and building automated alerts on abnormal API query volume from third-party services. If a connected app that normally syncs a few hundred records starts pulling thousands of queries in minutes, that’s your early warning.”
Damon Small, Board of Directors, Xcape, Inc. said this:
“This third-party compromise highlights a severe operational risk where specialized business platforms become aggregate targets for corporate espionage, exposing the strategic playbooks of the cybersecurity sector itself. By exploiting Salesforce-linked integrations, attackers bypassed external perimeters to directly access sensitive competitive analysis, product intelligence, and customer data.
“For security executives, this incident demonstrates that non-core software vendors often possess highly privileged pathways into primary data repositories. To contain this exposure, organizations must immediately catalog all API and OAuth integrations connected to their central Customer Relationship Management systems. Teams should prioritize revoking obsolete or over-privileged third-party tokens, implementing strict scoping boundaries on automated data access, and establishing anomaly detection baselines for bulk data exports conducted by integrated applications.
“Critical Takeaways
“It is tough to sell threat visibility to your customers when your own corporate battlecards are exposed because you did not have a Klue.”
I guess that it is far past time for you to audit your environment to ensure that you’re not the next Klue. Because it is much easier to not be the next Klue that it is for me to write about you.
Share this:
Like this:
Related
This entry was posted on June 23, 2026 at 4:58 pm and is filed under Commentary with tags Hacked. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.