GoKawiilMarket intelligence platform Klue suffered a OAuth breach that enabled the "Icarus" threat actors to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign.
Sources told BleepingComputer of the attack yesterday, telling us that numerous organizations had their Salesforce data stolen and were now being extorted by the relatively new extortion group.
Cybersecurity firms ReliaQuest and Huntress have both published reports confirming the security incident, with Huntress stating that their Salesforce data was stolen in the attack.
Salesforce has since disabled the Klue Battlecards integration on its platform while the breach is investigated.
"To protect our customers, Salesforce has disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce as part of our response to a recent security incident," Salesforce warned yesterday.
"As a result, organizations will not be able to connect to Salesforce via this app until further notice."
If you have any information regarding this incident or other undisclosed attacks, you can contact us confidentially via Signal at 646-961-3731 or at [email protected].
Stolen OAuth credentials used to steal Salesforce data
ReliaQuest stated that attackers gained access to Klue Battlecards integration service accounts and used OAuth tokens associated with customer Salesforce instances to carry out data theft.
The researchers observed the threat actors generating OAuth tokens and then using automated Python scripts to query Salesforce's REST API for nearly 24 hours.
... continue reading