Market intelligence platform Klue has confirmed a breach in which attackers stole authentication tokens that gave them access to its customers' Salesforce environments, leading to the theft of sales and customer data from several well known firms. The Icarus extortion group has claimed responsibility, according to threat intelligence published by Check Point Research.
The case is a textbook example of a software supply chain breach: rather than attacking each victim directly, the intruders compromised a shared vendor and used that foothold to reach its customers. Among the organizations whose data was exposed are security and technology companies Huntress, Recorded Future, Tanium, and Jamf.
What happened
According to the reporting, the attackers first got in using compromised legacy integration credentials, older machine to machine logins that often linger with broad access long after anyone is watching them. With that access they harvested OAuth tokens connected to customer Salesforce instances. An OAuth token is a digital key that lets one application reach another on a user's behalf without a password, so stolen tokens let the attackers query and pull data from each linked Salesforce environment as though they were a trusted, already approved app.
The result was the theft of sales pipeline and customer records belonging to Klue's clients. Because the access rode on legitimate, pre authorized connections, this kind of activity can blend into normal traffic and slip past defenses tuned to spot password based logins.
Why it matters
SaaS to SaaS integrations have quietly become one of the softest paths into enterprise data. A single set of stolen tokens at a connected vendor can expose dozens of downstream customers at once, and resetting a password does nothing to stop a token that is still valid. The presence of multiple security vendors among the affected organizations underscores that no sector is immune once a trusted integration is turned against its users.
What you should do
- Rotate and revoke OAuth tokens and API keys tied to third party integrations, and re authorize connected apps from scratch where a vendor compromise is suspected.
- Audit your Salesforce connected apps and remove integrations you no longer use or recognize.
- Retire legacy and service account credentials that carry standing access, enforce least privilege, and watch for unusual data export volumes from integrated apps.
The incident lands amid a broader wave of credential and token theft aimed at corporate logins; see our coverage of an ongoing password spraying operation against Fortinet and Sophos firewalls.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.