Ransomware stories rarely end with a single threat to publish data. The Klue breach proves the point, and it has now taken a fresh turn. The list of affected customers has grown. Worse still, the stolen data may have passed from one criminal group to another. According to SecurityWeek, roughly two dozen companies have confirmed in recent days that attackers compromised their Salesforce instances through the Klue integration.
More Victims Come Forward
New notifications have revealed several additional affected organizations. Among them are AlertMedia, Blackbaud, Camunda, Cresta, Deel, Lucanet, Link11, and Tines. Earlier reports had already linked the attack to other Klue customers. However, the latest disclosures show that the fallout reaches wider than the first public accounts suggested. Even so, SecurityWeek notes that not every customer was hit. Autodesk, for instance, may not have used the Klue–Salesforce link, so it escaped unharmed.
How the Attack Unfolded
The attack itself occurred on June 11 and 12. The intruders entered Klue using compromised legacy credentials. From there, they obtained OAuth tokens for customer integrations and used them to extract data from Salesforce. Such tokens let services exchange information without re-entering a password. Therefore, stealing them effectively handed the attackers ready-made access to connected systems.
Salesforce disabled the Klue integration on June 17. Judging by its status page, the company has not yet restored it. Gong also cut its own link to Klue. Meanwhile, Klue publicly confirmed the leak and announced an investigation, though it has not yet shared detailed findings.
A Ransom, Then a Strange Twist
A threat actor calling itself Icarus claimed responsibility for the attack. Icarus added Klue and some of its customers to a Tor-based leak site. Moreover, it threatened to publish the stolen information unless it received a ransom. According to SecurityWeek, that data consisted mainly of business contacts and support records.
From there, the story grew tangled. As TechCrunch reports, citing customer notifications, Klue made contact with Icarus, after which the actor began deleting the stolen data. The Icarus leak site then stayed offline for several days. SecurityWeek suggests this pattern may point to a ransom payment, yet no confirmation exists.
The Hackers Themselves Get Hacked
The most surprising detail involves the extortionists rather than Klue. According to SecurityWeek, Klue told customers that Icarus had apparently been hacked too. As a result, some of the stolen data ended up with a different threat actor. That actor now reportedly tries to blackmail the victims itself.
In total, the incident may affect 195 Klue customers. However, preliminary information suggests the second group obtained only data samples from Icarus. So far, no other known extortion group has publicly claimed to hold material from this incident.
Support Our Threat Intelligence
If you find our technology report and cybersecurity news helpful, consider supporting our work.
Buy Me a Coffee
PayPal
