Full Report
Transparency is core to how we operate. Read our statement on a recent third-party vendor security incident, including our findings and the actions we've taken to protect customer information.
Analysis Summary
# Incident Report: Klue Third-Party Integration Breach
## Executive Summary
A security incident at Klue, a third-party marketing vendor, led to unauthorized access to a Salesforce integration layer used by Recorded Future. The attack involved the compromise of an OAuth token, allowing the attacker to access business contact information and some contract details. Recorded Future's core systems remained unaffected, and the incident was contained by revoking the compromised credentials.
## Incident Details
- **Discovery Date:** June 17, 2026 (Confirmation of impact)
- **Incident Date:** June 12, 2026
- **Affected Organization:** Klue (Primary), Recorded Future (Downstream)
- **Sector:** Cybersecurity / Marketing Technology
- **Geography:** Global
## Timeline of Events
### Initial Access
- **Date/Time:** June 12, 2026 (Morning)
- **Vector:** Compromised Third-Party Integration
- **Details:** Unauthorized access was gained to Klue’s environment, specifically targeting the integration layer connecting Klue to Salesforce.
### Lateral Movement
- **Details:** The threat actor utilized a compromised OAuth token associated with the Klue-Salesforce integration to access Recorded Future's Salesforce environment.
### Data Exfiltration/Impact
- **Details:** Elements of Recorded Future’s Salesforce database were accessed. Impacted data includes client contact names, email addresses, and certain business contract information.
### Detection & Response
- **How it was discovered:** Recorded Future’s CSIRT was notified by Klue regarding the vendor's internal breach; subsequent internal correlation of logs confirmed the impact on June 17.
- **Response actions taken:** Revocation of OAuth tokens, engagement with Salesforce for forensic logs, and correlation of malicious IPs.
## Attack Methodology
- **Initial Access:** Valid Accounts (OAuth Token compromise via third-party vendor Klue).
- **Persistence:** Not applicable; access was tied to the validity of the session token.
- **Privilege Escalation:** Use of integration permissions to access Salesforce database fields.
- **Defense Evasion:** Use of legitimate integration pathways (OAuth) to bypass traditional perimeter defenses.
- **Credential Access:** Theft/Compromise of OAuth tokens.
- **Discovery:** Cloud Service Discovery (Salesforce integration mapping).
- **Lateral Movement:** Use of third-party software hooks to move from vendor (Klue) to client (Recorded Future) environments.
- **Collection:** Automated extraction of Salesforce database fields.
- **Exfiltration:** Exfiltration over web API (Salesforce integration layer).
- **Impact:** Data breach of business and contact information.
## Impact Assessment
- **Financial:** Not disclosed; likely limited to incident response costs.
- **Data Breach:** Compromise of PII (names, emails) and sensitive business data (contract info).
- **Operational:** Minimal; no disruption to the Recorded Future core platform or Intelligence Graph.
- **Reputational:** Recorded Future acted as an "incidental victim," mitigating reputation damage through proactive transparency.
## Indicators of Compromise
- **Network indicators:** Malicious IP addresses (identified by Klue, not publicly disclosed in the report - defang required if known).
- **File indicators:** N/A (Cloud-based integration attack).
- **Behavioral indicators:** Anomalous API calls via the Klue-Salesforce OAuth token.
## Response Actions
- **Containment measures:** Immediately locked down and revoked all OAuth tokens associated with the Klue integration.
- **Eradication steps:** Review of all third-party SaaS applications integrated with Salesforce.
- **Recovery actions:** Active monitoring for anomalous activity; engagement with law enforcement.
## Lessons Learned
- **Supply Chain Vulnerability:** Even security-focused organizations are vulnerable to "n-th" party risks (Klue as a 3rd party, Salesforce as a 4th party).
- **Token Management:** The reliance on long-standing OAuth tokens for SaaS integrations presents a significant pivot point for attackers.
- **Notification Lag:** There was a 5-day gap between the incident (June 12) and Recorded Future's confirmation of impact (June 17).
## Recommendations
- **SaaS Security Posture Management (SSPM):** Implement tools to monitor and audit OAuth permissions and third-party integrations continuously.
- **Least Privilege for Integrations:** Restrict integration tokens to the absolute minimum fields required for functionality (e.g., preventing access to contract data if only contact data is needed).
- **Enhanced Logging:** Ensure verbose logging is enabled for all SaaS-to-SaaS integrations to decrease detection and verification time.
- **Customer Vigilance:** Advise clients to monitor for phishing attempts targeting the exposed contact information.