Fast Facts
- Multiple Salesforce breaches have been linked to threats exploiting third-party app integrations, notably Klue’s Battlecards app, by abusing OAuth tokens.
- Attackers accessed Salesforce data through compromised OAuth tokens from Klue, exfiltrating customer information over approximately 24 hours with high query bursts.
- The breaches are part of a supply chain attack, with threat actors breaching Klue’s backend via a long-unused credential, prompting swift remediation efforts by Klue.
- The latest activity is attributed to the new threat group Icarus, which has issued extortion threats and appears to be leveraging compromised infrastructure, including Australian company mail servers.
Salesforce Data Breaches Widen Through Klue App Disruption
Recent security breaches have revealed a troubling pattern in Salesforce’s ecosystem. Threat actors exploited a third-party app, Klue’s Battlecards, to access sensitive customer data. Salesforce responded swiftly by suspending the app’s integration after spotting unusual activity. Importantly, the company clarified that the problem stemmed from the app connection itself and not from any flaw in the Salesforce platform. These breaches follow previous incidents involving other third-party integrations like Salesloft and Gainsight. Researchers highlighted that such SaaS integrations, although convenient, often serve as targeted pathways for cybercriminals aiming for valuable data. In these attacks, malicious actors used compromised OAuth tokens and automated scripts to exfiltrate data over a 24-hour period. While it remains unclear how many customers were affected, at least one company confirmed its data, including business contacts and sales quotes, was stolen. This ongoing series of breaches underscores how vital it is for organizations to monitor and secure third-party app connections with care.
Threat Groups and Response Strategies in Ongoing Salesforce Attacks
Analysis points to different threat groups behind these cyberattacks. Earlier attacks linked to the cybercrime collective ShinyHunters now appear to be replaced by a new group called Icarus. Icarus has used extortion tactics, sending emails threatening to release stolen data unless ransoms are paid. Evidence suggests that Icarus accessed Salesforce data through compromised credentials related to a long-dormant Klue account. Once inside, they used malicious code to acquire OAuth tokens, allowing quick access to customer data. They then used automated tools to rapidly extract information in a short burst, sometimes performing thousands of queries in just minutes. One company reported that its data, including contacts and sales information, was copied during these exploits. Experts advise organizations to revoke all compromised tokens, update passwords, and tighten security measures—such as IP restrictions—to prevent future breaches. Continual vigilance remains necessary as cybercriminals evolve their tactics and exploit trusted SaaS apps as gateways to sensitive business information.
Stay Ahead with the Latest Tech Trends
Stay informed on the revolutionary breakthroughs in Quantum Computing research.
Access comprehensive resources on technology by visiting Wikipedia.
CyberRisk-V1
