Key Points
- Credentials from a discontinued third-party integration let attackers access OAuth tokens for customer Salesforce environments through the Klue SaaS platform.
- The incident highlights how service accounts, API keys, integrations, and other non-human identities can become high-value targets.
- IANS Faculty recommend inventorying Salesforce third-party access, reviewing integration permissions, auditing OAuth tokens, and preparing for follow-on phishing, social engineering, and extortion attempts.
Hackers Exploit Klue to Steal Salesforce Data
A discontinued third-party integration feature within Klue, a SaaS platform for sales and marketing, was exploited by cybercriminals to steal customers’ Salesforce data.
The attackers gained access to the platform’s integration infrastructure using a compromised legacy credential on June 12, Klue said on June 19. The attackers reportedly used this access to collect OAuth tokens that connected Klue to other third-party platforms, such as Salesforce, within Klue’s customer environments.
Klue customers, including Huntress, Snyk, and Sprout Social, among others, came forward last week to disclose that their Salesforce CRM data had been accessed and taken. Exfiltrated Salesforce data included business contact information, price quotes, and other sales-related customer data, according to Huntress.
A cybercriminal group calling themselves Icarus initially claimed responsibility for the attack and sent ransom notes threatening to leak customer data. ShinyHunters, a prolific cybercrime organization, later claimed responsibility for the breach according to ReliaQuest Threat Research.
Big Picture
Every third-party connection, API, or other digital resource is just as vulnerable and valuable a target as a human identity and should be protected by the same level of scrutiny and tooling.
"We continue to be way too human-centric in our identity programs. Service accounts, integration accounts, API keys and the like need to be treated like critical assets.” Summer Craze Fowler, IANS Faculty.
Snowflake suffered a similar breach to customer accounts two years ago when hackers created fake credentials after gaining access to an unsecured third-party service.
Victims in the Klue attack have claimed that the stolen Salesforce data is mostly related to business information, which will likely create new prompts for targeted phishing campaigns in the months to come for employees, customers, and partner vendors.
"[Phishing attackers] build on information they've already gathered. Even seemingly routine business data can provide enough context to make a phishing email, phone call, or extortion attempt feel surprisingly relevant, personal, and legitimate.” Lisa Perdelwitz, IANS Faculty.
IANS Faculty Recommendations
- Review Salesforce data connections: Inventory which third parties have access to Salesforce and review integration user permissions. User accounts tend to be over-privileged for convenience.
- Inspect identity and access credentials: Audit OAuth tokens, as misuse can look like normal traffic when stolen. Be sure to check underused or depreciated integrations.
- Anticipate long-tail phishing attacks: Prepare your organization for phishing attempts if you or your partners are impacted. Stolen business contact information can fuel follow-on phishing, social engineering, and extortion campaigns.
Authors & Contributors
Tim McCarthy, Author, IANS News
Summer Craze Fowler, IANS Faculty
Lisa Perdelwitz, IANS Faculty
Although reasonable efforts will be made to ensure the completeness and accuracy of the information contained in our News & blog posts, no liability can be accepted by IANS or our Faculty members for the results of any actions taken by individuals or firms in connection with such information, opinions, or advice.