Klue OAuth Breach Exposes Third-Party SaaS Risk
Enterprise security teams have spent years hardening identity platforms, enforcing multifactor authentication, and strengthening endpoint security. Yet the latest compromise involving competitive intelligence platform Klue shows a different route into corporate environments: trusted third-party integrations.
The incident, which affected multiple high-profile technology companies, did not exploit a vulnerability in Salesforce itself. Instead, attackers compromised Klue's integration infrastructure, stole OAuth credentials used to connect customer environments, and used those trusted connections to exfiltrate sensitive CRM data. The breach shows how modern supply chain attacks increasingly target identity relationships rather than software flaws.
As more organizations rely on SaaS ecosystems connected via APIs and OAuth tokens, security leaders must recognize that trusted integrations can become privileged attack vectors.
According to Klue, the company detected unauthorized activity on June 12 and quickly began investigating alongside external incident response specialists. CEO Jason Smith explained the initial intrusion in a public statement.
On June 12, we identified unauthorized activity affecting a portion of Klue's integration infrastructure.
The investigation determined that attackers compromised a legacy credential associated with one of Klue's integration services. Rather than targeting customer environments directly, they used this access to harvest OAuth tokens that authorized connections between Klue and customer platforms, including Salesforce.
Smith described the attack's progression clearly.
The attacker gained access through a compromised legacy credential associated with an integration service. The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce.
Armed with legitimate OAuth tokens, the attackers authenticated as trusted integrations rather than malicious users. This lets them interact with Salesforce environments through approved APIs while avoiding many traditional security controls designed to detect suspicious logins or malware.
Security researchers observed automated data collection that relied almost entirely on legitimate Salesforce functionality. Rather than exploiting vulnerabilities or deploying ransomware, the attackers simply queried CRM databases at scale using authorized access.
Several well-known cybersecurity vendors later confirmed that they had been affected by the incident, including Huntress, Recorded Future, Jamf, Tanium, Gong, Sprout Social, and Insurity. Most organizations emphasized that the compromise remained limited to Salesforce data accessed through the Klue integration.
Huntress reported that the stolen information included sales communications, pricing information, customer contacts, and business records. Importantly, companies consistently stated that their production environments, security platforms, engineering systems, and customer-facing infrastructure were not breached.
This matters because the compromise did not originate from weaknesses within Salesforce or within the affected organizations' networks. Instead, attackers exploited the trust relationship between customers and a third-party SaaS provider.
This incident reinforces an uncomfortable reality for defenders: an organization's security posture increasingly depends on the security practices of every connected vendor.
Icarus Emerges as a New Extortion Threat
The attack has been claimed by the relatively new extortion group known as Icarus, which publicly listed Klue on its leak site after security researchers had already linked the activity to the group.
Although Icarus has only recently appeared within the cybercriminal ecosystem, its operating model reflects a broader evolution in financially motivated cybercrime. Rather than deploying ransomware to encrypt systems, the group steals sensitive business information and then extorts victims.
Researchers at Huntress and ReliaQuest linked Icarus to the Klue campaign through multiple indicators, including Session Messenger identifiers used in ransom communications and infrastructure associated with the group's leak site. Following the data theft, affected organizations reportedly received extortion emails demanding contact before stolen information would be published.
This strategy reflects a continuing shift away from disruptive encryption attacks toward quieter data theft operations. Data exfiltration often creates less operational disruption while still giving attackers significant leverage over victims concerned about customer confidentiality, competitive intelligence, and regulatory obligations.
The Klue incident also shows that extortion groups are increasingly familiar with enterprise SaaS architectures. Instead of attacking every victim individually, compromising a single trusted service provider can grant access to dozens or even hundreds of downstream customer environments.
OAuth has become one of the most important authentication standards in modern cloud environments because it allows applications to access resources without storing user passwords. However, the same convenience creates attractive opportunities for attackers.
Once attackers obtain valid OAuth tokens, they frequently bypass traditional authentication controls because the connection appears entirely legitimate. Security products focused primarily on user authentication may struggle to distinguish malicious API activity from normal application behavior.
ReliaQuest researchers observed the attackers generating OAuth tokens before executing automated Python scripts that queried Salesforce APIs over extended periods. Rather than downloading files manually, the attackers systematically enumerated available objects and extracted data through thousands of API requests.
The campaign shows why machine identities deserve the same scrutiny as human users. Integration accounts often possess broad privileges, operate continuously, and rarely trigger behavioral alerts because organizations assume they represent trusted applications.
As organizations continue expanding their SaaS ecosystems, unmanaged machine identities increasingly pose one of the largest identity risks in enterprise environments.
Klue moved quickly after identifying the unauthorized activity. The company revoked affected credentials, removed unauthorized code, disabled impacted integrations, and notified law enforcement while engaging CrowdStrike to support the investigation.
Smith emphasized that the investigation found no evidence that customer content stored directly within Klue's own platform had been compromised.
Based on our investigation to date, the incident was limited to the affected third-party platforms, and there is no evidence that customer content stored within the Klue platform was impacted.
The company also committed to strengthening multiple aspects of its security program, including credential management, monitoring capabilities, and deployment processes.
Salesforce independently disabled the Klue Battlecards application while the investigation continued, stressing that the issue originated with the third-party integration rather than the Salesforce platform itself.
Although affected customers inevitably experienced disruption, Klue's public communications provided relatively transparent updates on the attack timeline, containment efforts, and the ongoing investigation.
The Klue incident is more than another SaaS breach. It shows how software supply chain attacks have evolved beyond malicious code updates or compromised software packages. Today's attackers increasingly target trust itself.
OAuth tokens, service accounts, and application integrations have become valuable assets because they allow adversaries to inherit existing trust relationships rather than breaking through traditional security perimeters.
Organizations have invested heavily in protecting employee identities, yet many still maintain hundreds of privileged machine identities that receive comparatively little oversight. Every connected application effectively becomes another privileged user inside the enterprise.
As cloud adoption continues to accelerate, security leaders will need to expand identity governance beyond people to include applications, integrations, and automated services.
The compromise of Klue serves as a reminder that attackers no longer need to defeat sophisticated security controls if they can simply authenticate using a trusted application. For defenders, the key takeaway is clear: protecting the modern enterprise increasingly means securing not only users but also every relationship of trust that connects today's cloud ecosystem.
Share:
Facebook
X.com
LinkedIn
Copy Link
Karolis Liucveikis
Experienced software engineer, passionate about behavioral analysis of malicious apps
Author and general operator of PCrisk's News and Removal Guides section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over 8 years working in this branch. He attended Kaunas University of Technology and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications.
PCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
DonatePCrisk security portal is brought by a company RCS LT.
Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.
Our malware removal guides are free. However, if you want to support us you can send us a donation.
Donate
▼ Show Discussion