Roughly two dozen Klue customers have come forward and confirmed that their Salesforce instances were compromised in a supply chain attack earlier this month.
The attack unfolded between June 11 and 12, when hackers used compromised legacy credentials to access the market intelligence platform Klue, obtain OAuth tokens for customers’ Klue integrations, and exfiltrate data in bulk.
Salesforce disabled the Klue integration on June 17, and its status page shows it has yet to re-enable it. Gong also disabled the integration.
The list of impacted organizations also includes AlertMedia, Blackbaud (requires authentication), Camunda, Cresta, Deel, Lucanet, Link11, and Tines. Klue has hundreds of customers and the blast radius could be wider, but SecurityWeek has not seen other notifications regarding the incident.
It should also be noted that some Klue customers, such as Autodesk, might not use the Salesforce integration with Klue and were not affected.
The attack was claimed by a threat actor named Icarus, which added Klue and several of its customers to a Tor-based leak site, threatening to leak the stolen information – mainly business contact and support data – unless a ransom was paid.
Klue confirmed the data breach on Monday, saying it was investigating it, but has yet to publicly share updates on the findings.
In the meantime, however, the market research firm has notified its customers privately that it has been in contact with the threat actor, which started deleting the stolen data, TechCrunch reports.
Icarus’s leak site has been unavailable for the past couple of days, likely as a result of the negotiations with Klue, which suggests that the company might have paid up.
Additionally, Klue reportedly told customers that Icarus themselves were hacked, and that the stolen data is now in the hands of another threat actor, which is running its own extortion campaign.
The incident allegedly affects 195 Klue customers, but the second group supposedly stole only sample data from Icarus.
No known extortion group other than Icarus appears to have publicly claimed possession of data stolen during the Klue incident. SecurityWeek has emailed Klue for a statement and will update this article if the company responds.
Related: Canadian Electricity Provider London Hydro Discloses Data Breach
Related: Xsolis Data Breach Affects 1.4 Million Individuals
Related: Texas Parks & Wildlife Data Breach Affects 3 Million Individuals
Related: Kodak Admits Data Breach After ShinyHunters Hack Claims
