Full Report
透明性は私たちの企業運営の根幹をなすものです。最近発生したサードパーティベンダーによるセキュリティインシデントに関する声明をご覧ください。調査結果および、お客様の情報を保護するために講じた対策について記載しております。
Analysis Summary
# Incident Report: Compromise of Third-Party Vendor Klue Impacting Recorded Future
## Executive Summary
Recorded Future was impacted by a security incident involving Klue, a third-party marketing vendor, which suffered an unauthorized access to its integration layer. The attack leveraged compromised OAuth tokens to gain access to Recorded Future’s Salesforce environment, resulting in the potential exposure of business contact data. No core systems or internal databases were compromised, and the incident was contained following the revocation of integration tokens.
## Incident Details
- **Discovery Date:** Week of June 17, 2026 (Internal confirmation on June 17)
- **Incident Date:** June 12, 2026
- **Affected Organization:** Recorded Future (via Klue)
- **Sector:** Cybersecurity / SaaS
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** 2026-06-12 (Morning)
- **Vector:** Compromised OAuth tokens within a third-party integration layer.
- **Details:** Attackers targeted the integration layer connecting Klue to Salesforce and other marketing SaaS platforms.
### Lateral Movement
- **Details:** The threat actor utilized a compromised Salesforce-Klue OAuth token to move from the vendor's integration environment into Recorded Future’s specific Salesforce account.
### Data Exfiltration/Impact
- **Details:** Access was limited to Salesforce business data fields. Compromised data includes customer contact names, email addresses, and potentially specific business contract information.
### Detection & Response
- **How it was discovered:** Notification from Klue regarding an incident, followed by Recorded Future CSIRT’s independent correlation and analysis of activity logs.
- **Response actions taken:** Lockdown and revocation of all Klue-related OAuth tokens, review of all third-party Salesforce integrations, and active monitoring for anomalous activity.
## Attack Methodology
- **Initial Access:** Third-party integration compromise (Supply Chain).
- **Persistence:** Utilization of valid OAuth tokens.
- **Privilege Escalation:** Not explicitly stated; assumed use of integration permissions.
- **Defense Evasion:** Not disclosed, though the attack exploited legitimate integration channels.
- **Credential Access:** Compromise/theft of OAuth tokens.
- **Discovery:** Passive reconnaissance of the vendor’s integration layer.
- **Lateral Movement:** Cloud-to-cloud movement via API/Integration tokens.
- **Collection:** Gathering business contact info and contract metadata from Salesforce.
- **Exfiltration:** Accessing and potentially copying Salesforce database fields.
- **Impact:** Unauthorized data exposure (Information Disclosure).
## Impact Assessment
- **Financial:** Not disclosed; low immediate operational cost but potential long-term risk.
- **Data Breach:** Business contact information (names, emails) and contract metadata.
- **Operational:** Low; core platforms and Intelligence Graph remained fully functional.
- **Reputational:** Minimal, mitigated by proactive disclosure and transparency.
## Indicators of Compromise
- **Network indicators:** Recorded Future correlated "known malicious IP addresses" identified by Klue (Specific IPs not provided in the public statement).
- **File indicators:** N/A (SaaS-based attack).
- **Behavioral indicators:** Unusual API calls or activity associated with the Klue-Salesforce OAuth token.
## Response Actions
- **Containment:** Revoked and locked down all OAuth tokens associated with Klue.
- **Eradication:** Coordinated with Salesforce to clear unauthorized access paths and review all third-party app permissions.
- **Recovery:** Cross-referencing environmental logs with Klue’s IOCs to ensure no further persistence exists.
## Lessons Learned
- **Supply Chain Risk:** Even cybersecurity leaders are susceptible to breaches originating in niche third-party marketing tools.
- **Integration Visibility:** The ability to correlate logs across disparate SaaS platforms (Salesforce and Klue) was critical for rapid validation of the impact.
- **Least Privilege:** OAuth tokens should be strictly scoped to prevent broad access to CRM data if an integration is compromised.
## Recommendations
- **SaaS Security Posture Management (SSPM):** Implement tools to continuously monitor and audit third-party integration permissions.
- **Token Rotation:** Regularly rotate OAuth tokens and audit "stale" integrations that are no longer in active use.
- **Enhanced Log Centralization:** Ensure that all SaaS logs (Salesforce, marketing tools, etc.) are ingested into a central SIEM for rapid incident correlation.
- **Phishing Awareness:** Stakeholders should remain vigilant against phishing, as the stolen contact info may be used for targeted social engineering.