Klue confirmed unauthorized activity in its integration infrastructure led to stolen OAuth tokens used to access connected Salesforce environments, with only third-party integrations affected. The Icarus extortion group claimed responsibility, and multiple organizations including Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity reported Salesforce data theft tied to the attack. #Klue #Icarus #Salesforce #Huntress #ReliaQuest
Keypoints
- Klue detected unauthorized activity on June 12 in its integration infrastructure.
- Attackers used a compromised legacy credential to steal OAuth tokens.
- The stolen tokens were used to access connected Salesforce customer environments.
- Klue said its core platform data was not affected, only third-party integrations.
- Icarus publicly claimed responsibility and multiple organizations disclosed Salesforce data theft.