Attackers Compromise Klue, Hijack OAuth Tokens to Exfiltrate Salesforce Customer Data
What Happened — Attackers breached the SaaS vendor Klue, extracted OAuth refresh tokens, and used those tokens to gain unauthorized access to customers’ Salesforce environments, downloading contact, opportunity, and custom‑object data. The incident expands the “Icarus” campaign that targets Salesforce users through compromised third‑party integrations.
Why It Matters for Compliance & Audit Readiness
- Demonstrates the need for SOC 2 vendor‑management controls that require continuous monitoring of third‑party token issuance and revocation.
- Highlights the importance of maintaining auditable evidence (token‑lifecycle logs, revocation policies) to satisfy the Security and Availability criteria.
- Shows how a supply‑chain credential compromise can cascade into a data‑exposure event, underscoring the value of Verisq’s vendor‑risk capability for audit evidence.
Who Is Affected — SaaS providers, CRM platforms, and their enterprise customers across technology, financial services, and other sectors that integrate with third‑party applications.
Recommended Actions
- Review and tighten OAuth token issuance, storage, and revocation processes for all third‑party integrations.
- Incorporate continuous vendor‑risk monitoring into your SOC 2 audit program, capturing evidence of token‑lifecycle management.
- Conduct a focused risk assessment of all applications that have access to critical CRM data and update contracts to include security‑by‑design clauses.
Source: Dark Reading
Technical Notes — The attackers leveraged stolen OAuth refresh tokens from Klue’s integration, allowing them to generate fresh access tokens without user interaction. No specific CVE was cited; the vector is credential theft via a compromised third‑party application. Exfiltrated data included contact records, opportunity details, and custom object fields from Salesforce.