Summary

A software supply chain attack targeting the market intelligence platform Klue resulted in unauthorized access to customer integrations and subsequent data exfiltration from downstream SaaS applications, including CRM systems.

The intrusion began when a threat actor compromised Klue's backend environment and introduced malicious code designed to harvest OAuth tokens used by customer integrations. These tokens were then leveraged to access connected third-party services and extract data directly from customer environments.

One of the impacted organizations includes Huntress, along with other Klue customers. The exposed data primarily consisted of CRM and sales-related information, with no indication of compromise to product infrastructure, engineering systems, threat telemetry, payment data, or passwords.

Affected Systems and/or Applications

The incident impacted organizations using Klue integrations with the following third-party services:

• Salesforce
• HubSpot
• SharePoint
• Zoom
• Gong
• Chorus.ai
• Clari
• Google Drive
• Slack

Scope of impact:

• OAuth tokens associated with Klue integrations were stolen
• CRM queries were executed against customer systems
• Data was exfiltrated from Salesforce and related systems
• No compromise of core Huntress product infrastructure or telemetry was identified

Technical Details

The intrusion originated when a long-unused but still active credential associated with Klue was leveraged to gain initial access to its backend systems. The threat actor used this foothold to deploy malicious code into integration workflows, specifically targeting mechanisms responsible for handling customer OAuth tokens. These tokens, which are used to authorize connections between Klue and third-party SaaS platforms, were covertly harvested as they were processed.

Once the attacker obtained valid OAuth credentials, they pivoted into downstream customer environments and used the stolen tokens to authenticate directly against integrated services. This enabled them to perform API-driven queries against connected systems, including CRM platforms such as Salesforce, where they systematically extracted records through standard query endpoints. The activity was characterized by automated data retrieval at scale, consistent with bulk CRM data enumeration rather than interactive user behavior.

From there, the attacker leveraged the compromised integrations to access additional connected services, including sales and collaboration platforms, and exfiltrated structured business data such as contacts, pricing information, sales communications, and internal notes. The attack ultimately demonstrated a chained supply chain compromise, where a single upstream integration failure enabled cascading unauthorized access across multiple downstream environments.

Indicators of Compromise (IOCs)

Additional Telemetry Findings

• Abnormal API activity targeting /services/data/v59.0/query/ endpoints
• Repeated use of non-standard or blank User-Agent strings ("5238")
• Python-based automation observed in query patterns:
  • Python-urllib/3.12
  • Python-urllib/3.14

Mitigation

Organizations potentially impacted by similar integrations should take the following actions:

1. Immediate Response Actions

• Revoke and rotate all OAuth tokens associated with:
  • Klue integrations
  • Connected SaaS applications (Salesforce, HubSpot, etc.)
• Force session invalidation across impacted platforms

2. Log Review

• Review API and authentication logs for:
  • Suspicious query patterns to /services/data/v59.0/query/
  • Unusual bulk data extraction activity
  • Python-based or non-standard user agents
• Correlate activity with provided IOCs:
  • 138.226.246[.]94
  • 212.86.125[.]24
  • 213.111.148[.]90
  • 94.154.32[.]160

3. Vendor Coordination

• Request missing or incomplete API logs from affected SaaS providers
• Coordinate with vendors to validate token usage history and session activity

4. Credential and Access Hardening

• Rotate API keys and OAuth credentials for all third-party integrations
• Enforce least-privilege access for integration tokens
• Regularly audit inactive or legacy integrations

5. Email and Threat Monitoring

• Search inboxes and spam folders for extortion-related messages
• Preserve suspicious emails for forensic investigation
• Monitor for data leakage references tied to CRM or Salesforce exports

6. Incident Response Preparedness

• Engage cyber insurance and incident response teams if exposure is suspected
• Establish procedures for rapid token revocation and integration shutdown
• Implement continuous monitoring for SaaS-to-SaaS integration abuse

References

• Cybercrime Breaches Klue: Salesforce Data Impacted for Many Victims, including Huntress | Huntress
• ReliaQuest
• Huntress
• Salesforce Status