A recent security incident involving Klue, a competitive intelligence platform used by many organizations, has raised serious concerns across the cybersecurity industry. The breach allowed attackers to gain unauthorized access to Klue’s integration infrastructure and steal OAuth tokens that customers used to connect their business applications. Security researchers say the attack eventually led to data theft from multiple organizations, including cybersecurity companies.
According to reports, the attackers first gained access through a compromised legacy credential linked to an old integration service. Although the credential was no longer actively used, it remained valid inside Klue’s environment. After entering the system, the threat actors moved deeper into the company’s infrastructure and deployed code designed to collect OAuth tokens from connected services.
OAuth tokens are commonly used by cloud applications to authenticate trusted connections without requiring users to repeatedly enter passwords. By stealing these tokens, the attackers were able to impersonate legitimate integrations and access customer environments connected to Klue. This method allowed them to bypass many traditional security controls while appearing as an authorized service.
Investigators found that the stolen tokens were used to access third-party platforms connected to Klue, including Salesforce. The attackers reportedly generated OAuth sessions and used automated scripts to query large amounts of customer data through APIs. Security analysts observed extensive activity that suggested systematic data collection and exfiltration from affected environments.
Several cybersecurity companies later confirmed that they were affected by the incident. Huntress disclosed that attackers accessed business contacts, sales communications, pricing information, and other CRM-related records stored in Salesforce. However, the company stated that no threat intelligence data, payment information, passwords, or product infrastructure were impacted by the breach.
Other organizations, including Recorded Future, Jamf, and Tanium, also reported potential exposure of business-related information. Investigations indicate that the compromise was largely limited to data accessible through integrated platforms rather than information stored directly inside the Klue platform itself. At this stage, there is no evidence that customer content hosted within Klue was directly accessed by the attackers.
In response to the incident, Klue revoked affected credentials and OAuth tokens, removed unauthorized code, disabled impacted integrations, and launched a comprehensive investigation. The company also engaged external incident response experts and notified law enforcement authorities. Salesforce separately disabled the Klue Battlecards integration after detecting suspicious activity linked to the application.
Researchers believe the attack highlights the growing risk posed by trusted third-party integrations and long-lived OAuth tokens. Rather than targeting organizations directly, attackers increasingly focus on software providers that connect to multiple customer environments. The incident serves as another example of how a single compromised integration can create a supply chain attack capable of affecting numerous organizations at once.
Stay alert, and keep your security measures updated!
Source: Follow cybersecurity88 on X and LinkedIn for the latest cybersecurity news
