saas · BleepingComputer
Klue, a market intelligence platform, disclosed a security incident on June 12 in which attackers obtained OAuth tokens used to connect Klue integrations to customers' Salesforce environments. According to Klue CEO Jason Smith, an attacker gained access through a compromised legacy credential associated with an integration service and subsequently stole OAuth tokens for third-party platforms including Salesforce. The company states that no evidence indicates customer data stored directly within Klue was affected; the incident was limited to third-party integrations. Klue revoked affected credentials and tokens, removed unauthorized code, and engaged CrowdStrike for incident response. Security researchers Huntress and ReliaQuest documented that attackers used the stolen OAuth credentials to access customer Salesforce environments and conduct data theft; the threat group Icarus has publicly claimed responsibility and is demanding contact through Session messaging to prevent data leaks.
This incident highlights risks for SaaS companies and their enterprise customers who rely on OAuth integrations with platforms like Salesforce. Organizations subject to SOC2 compliance should assess whether their third-party integrations and API token management practices meet control requirements around access management and credential rotation. Defense contractors and healthcare providers handling regulated data in Salesforce instances should evaluate whether the OAuth token compromise creates exposure of controlled unclassified information (CUI) or protected health information (PHI), which may trigger incident notification obligations. SaaS vendors managing customer connections to external platforms should review integration architecture, legacy credential hygiene, and token lifecycle policies; an Omniware engagement can scope credential management and API security controls in detail.
Source: BleepingComputer - https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/
Source: BleepingComputer
All briefings