At least five cybersecurity companies have had their Salesforce accounts compromised in a hacking campaign linked to business intelligence platform Klue.
Klue confirmed that attackers gained access to its systems on June 12 through a compromised legacy credential connected to an integration service. The hackers then stole OAuth tokens used by customers to connect Klue with third-party platforms, including Salesforce.
Using the stolen tokens, the attackers accessed customer Salesforce accounts and downloaded data. The suspicious activity was first detected by security firms Huntress and ReliaQuest, which investigated the incident and later alerted Klue.
According to Klue, there is no evidence that customer data stored directly on its platform was affected. The company said the breach was limited to connected third-party services.
Klue is now working to investigate the incident and has revoked affected credentials, tokens, and integrations to block further unauthorized access. While Klue also connects with services such as HubSpot, Zoom, and Google Drive, Salesforce was likely targeted first because it often contains sensitive financial and personal information.
A new hacking group known as Icarus has claimed responsibility for the attack on its dark web leak site. The group is reportedly attempting to extort Klue and has warned affected companies to contact them if they want to prevent stolen data from being leaked online.