The list of Klue customers whose Salesforce data was stolen in the latest supply-chain heist keeps growing, with an increasing number of cybersecurity companies disclosing that they are among the victims of a new data-theft and extortion crew called Icarus. Klue, which provides market intelligence to more than 250,000 companies worldwide, hasn’t said how many of its customers were caught up in the breach and didn’t immediately respond to The Register’s inquiries. Huntress was one of the first cybersecurity vendors to sound the alarm, and, in an email to The Register, said that it was among the “hundreds of Klue customers” affected. However, it said that the breach did not affect its tools or highly secure information such as passwords. “Huntress believes in radical transparency about security incidents, including when it affects our company,” the security shop wrote on Thursday. “The data that was copied from our Salesforce account includes business contacts, price quotes, and other sales-related data and messaging. No threat data, passwords, payment card information, or engineering data relating to the Huntress agent or telemetry we collect was affected.” Huntress, along with the other victim companies, said that there is no indication that any of its products or infrastructure were compromised, and that this security incident was specific to CRM data. Since then, several other security and software vendors including Recorded Future, Tanium, ReliaQuest, Jamf, Gong, HackerOne, Kudelski Security, Snyk, Insurity, and Sprout Social have revealed that the data thieves also accessed their CRM data via the Klue integration with Salesforce. Here’s what we do know about what happened and who is behind this latest extortion campaign. The breach occurred on June 11, and Klue spotted the intrusion a day later. This unauthorized activity affected “a portion” of its integration infrastructure, according to the software provider. Klue has since disconnected all of its integrations with Salesforce, Gong, HubSpot, SharePoint, and Google Drive. It also hired CrowdStrike to assist in the investigation and security response. “Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service,” Klue CEO Jason Smith said in a Friday blog post. “The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments.” Mandiant CTO Charles Carmakal urged organizations using Klue integrations to “immediately audit their systems and monitor application logs for evidence of compromise over the past few weeks. Rotate credentials as appropriate based on the scope of compromise.” While the attack “resembles the 2025 and 2026 third-party OAuth abuse campaigns against Salesforce,” as ReliaQuest noted, a group called Icarus began posting victims on its data-leak site. It soon became apparent that this new extortion crew - not ShinyHunters, which has frequently targeted Salesforce and stolen data from hundreds of the CRM giant's customers in attacks over the past few years - was behind this latest supply-chain incident. Icarus, according to the group’s leak site, has been active since April 28. After compromising Klue, the criminals began emailing affected customers. Huntress shared its extortion message, with the subject line “top secret email” purportedly sent from “mr bean,” with The Reg, and we are leaving the misspellings, and poor grammar, as is. “This email is being written to you because your data as exfiltrated due to a breach happening to your partner, Klue.com (as them),” it reads. “Your Salesforce data has been downloaded. We advice you to write us on Session @” with a Session address, the email continues, and threatens to make the data public within 48 hours unless Huntress initiates communication with the criminals. “Do the right decision,” it says, “xoxo.” There’s a subsequent email that simply says “wrong session lol” and then lists the correct Session ID. Researchers don’t know too much about Icarus - yet - but this type of large-scale supply-chain attack typically paints an equally large target on the intruders’ collective backs. So we expect to hear more from law enforcement and third-party security sleuths in the upcoming days. “There is very little publicly known about [Icarus],” Huntress' Lindsey O'Donnell-Welch told us. “IP addresses from which they are known to have accessed sensitive information include the Netherlands, France, and Ukraine. But we cannot draw any conclusions based on that information alone as these may have been VPN concentrators or Tor exit nodes.” And while this intrusion “bears some surface-level similarities with prior Salesforce-focused extortion activity, we have not seen any evidence at this point linking Icarus to ShinyHunters,” O'Donnell-Welch added. ®

Source link