Full Report
According to investigations, the compromise began when attackers gained access to Klue backend systems and deployed code capable of harvesting OAuth tokens used by customers to integrate Klue with third-party platforms such as Salesforce, Gong, SharePoint, HubSpot, Slack, and ...
Analysis Summary
# Incident Report: Klue Supply Chain Breach & Customer Data Exfiltration
## Executive Summary
An unauthorized actor compromised Klue’s backend systems via a legacy credential, deploying malicious code to harvest customer OAuth tokens. These tokens were leveraged to bypass authentication and exfiltrate sensitive CRM data from third-party platforms, primarily Salesforce. The incident resulted in large-scale automated data theft affecting multiple Klue customers before containment.
## Incident Details
- **Discovery Date:** May/June 2024 (Published June 18, 2024)
- **Incident Date:** Approximately May 2024
- **Affected Organization:** Klue
- **Sector:** Competitive Intelligence / Software as a Service (SaaS)
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** May 2024
- **Vector:** Supply Chain / Credential Stuffing or Reuse
- **Details:** Attackers utilized a "long-unused but still-active" credential that was originally created for a discontinued integration project to gain access to Klue's backend.
### Lateral Movement
- Attackers moved from the initial entry point to production backend systems to deploy token-harvesting code.
- They then shifted "horizontally" from Klue's infrastructure into customer environments using the stolen OAuth tokens.
### Data Exfiltration/Impact
- **Technique:** Automated API requests via Python-based tooling.
- **Volume:** In some cases, ~1,000 API queries within a 15-minute window.
- **Targets:** Salesforce REST API endpoints (`/services/data/v59.0/query` and `/services/data/v59.0/sobjects`).
- **Data Stolen:** CRM records, customer contact info, pricing, and sales communications.
### Detection & Response
- **Discovery:** Identified via unusual API activity and high-volume pagination requests in customer Salesforce environments.
- **Response:** Klue neutralized the malicious code, revoked compromised tokens, and rotated backend credentials.
## Attack Methodology
- **Initial Access:** Valid Accounts (Legacy/Orphaned Credentials).
- **Persistence:** Unauthorized code deployment within Klue backend.
- **Privilege Escalation:** Not explicitly detailed, but involved moving from service accounts to production code access.
- **Defense Evasion:** Use of legitimate OAuth tokens to mimic authorized integrations.
- **Credential Access:** OAuth Token harvesting via malicious backend code.
- **Discovery:** Identifying third-party integrations (Salesforce, HubSpot, etc.).
- **Lateral Movement:** Cloud-to-cloud movement using stolen session tokens/authorizations.
- **Collection:** Automated querying of CRM objects.
- **Exfiltration:** Exfiltration over Web API (Salesforce REST API).
- **Impact:** High-volume data exfiltration of sensitive business intelligence.
## Impact Assessment
- **Financial:** Undisclosed, but likely involves legal, forensic, and notification costs.
- **Data Breach:** High. Exposure of CRM and pricing data for an unknown number of customers.
- **Operational:** Disruption of Klue integrations and required remediation for customers.
- **Reputational:** Significant impact as a trusted "supply chain" vendor for enterprise sales data.
## Indicators of Compromise
- **Network indicators:** API calls originating from IPs associated with Python-based automated tooling (non-Klue infrastructure).
- **Behavioral indicators:**
- Rapid pagination of Salesforce `sobjects`.
- Unusual volume of queries (1,000+ per 15 min) via `/services/data/v[xx].0/query`.
- Access to sensitive CRM tables by the Klue integration user outside of normal patterns.
## Response Actions
- **Containment:** Removal of malicious code from Klue backend systems.
- **Eradication:** Revocation of all potentially compromised OAuth tokens to prevent further access to customer environments.
- **Recovery:** Coordination with customers to re-authorize integrations and rotating internal legacy credentials.
## Lessons Learned
- **Identify "Zombies":** Dormant or legacy credentials/service accounts represent a significant attack surface if not formally decommissioned.
- **Token Security:** Backend systems that handle third-party OAuth tokens must be treated as Tier-0 assets with rigorous integrity monitoring.
- **API Monitoring:** High-volume data pulling via integrations should trigger automated alerts on the consumer side (e.g., within Salesforce).
## Recommendations
- **Credential Hygiene:** Implement a strict lifecycle management process for service accounts, ensuring project-specific credentials are deleted upon project termination.
- **Least Privilege:** Limit the scopes of OAuth tokens to only the specific data fields required for the integration.
- **Anomaly Detection:** Deploy monitoring for "impossible travel" or high-velocity API queries originating from third-party integration partners.
- **Supply Chain Audits:** Conduct regular code integrity checks on backend systems that manage customer secrets or integrations.