The latest wave of Salesforce data thefts impacted several technology and cybersecurity companies, and the extortion group behind the attacks indicated more victims are coming.
The attacks first came to light June 17 when Salesforce disabled integration with Klue’s Battlecards application following a breach at the app vendor. Cybersecurity vendor Huntress was the first company to publicly acknowledge its Salesforce data had been compromised, and extortion group Icarus took credit for attacks and warned more victims would emerge.
Since then, additional companies have issued disclosures regarding compromised Salesforce data. LastPass said yesterday in a blog post that it was affected by the attacks. While threat actors accessed customer data within the password manager’s Salesforce instance, LastPass emphasized that its products, services, and infrastructure were unaffected and that “customer vaults remain secure.”
LastPass also noted that while Klue’s market intelligence platform integrated with its Gong systems, there was “no evidence the threat actor accessed any Gong-related data.”
Like many organizations that disclosed compromised Salesforce instances, LastPass said it immediately suspended all company access to Klue, rotated exposed API access tokens, and launched an investigation into the attack. Additional cybersecurity and technology companies that disclosed attacks include HackerOne, Recorded Future, Jamf, Snyk OneTrust, Insurity, Tanium, and Sprout Social.
Scope of Klue OAuth Token Abuse
It appears threat actors may have access to more than just Salesforce instances. Gong itself published a blog post Friday stating that attackers may have accessed “internal licensed user data” for a subset of Gong customers that used the Klue integration. The Gong data accessed includes usernames, user business titles, and user emails, according to the company.
“To be clear: this was an incident that originated with third-party integrator Klue. It was not a direct breach of Gong’s own products or systems,” the company stated. “Impacted customers were those who chose to connect Klue with Gong. Gong has not identified any direct impact to customer call recordings or transcripts.”
Gong added that Klue provided the company with four suspicious IP addresses, which Gong blocked. After investigating the activity tied to the IP address, Gong determined some customer data was compromised.
Dark Reading contacted Gong for further comment.
The compromise of more Salesforce instances and Gong user emails could raise concerns about exposed secrets. In previous Salesforce attacks last year — which were tied to the breach of another third-party app vendor, Salesloft — some victims acknowledged that their instances contained secrets. For example, Cloudflare discovered 104 API tokens in its Salesforce instance, which were contained in some support case data files. Those tokens were promptly rotated.
The specter of last year’s attacks may have prompted companies affected by Icarus’s campaign to carefully review impacted data for any potential secrets or sensitive information beyond what would traditionally be contained in Salesforce instances.
For example, HackerOne noted in its disclosure that it has “strict data segmentation policies and controls” that prohibit customer vulnerability data from its CRM systems. “Further, our preliminary forensic investigation has found no indication that any such data was accessed,” the company said.
Icarus Gang Leaks Stolen Data
On its Dark Web leak site, Icarus previously set a Monday deadline for Klue customers to contact the extortion group. And sure enough, Icarus began posting victims’ data organizations, albeit with company names partially redacted. At press time, six Klue customers were listed on the site.
Huntress confirmed in a Monday update that the data posted by Icarus was in line with the scope previously determined by its investigation. Additionally, the cybersecurity vendor confirmed that no products, infrastructure data, telemetry, passwords, or payment card information was accessed.
“The files for Huntress are limited to Salesforce data, which includes business contact information (e.g., full names, work emails, job title, phone number, and business addresses), business names, products trialed/used, subscription details (units, pricing), and sales-related communications (such as price quotes, contacts, and tasks) with Huntress customers and partners, as well as opportunity notes (i.e., free form fields where teammates can capture and track thoughts and next steps),” Huntress said.
In an accompanying video, Tom Lawrence, community growth strategist at Huntress, said the primary risk of the Salesforce compromise was threat actors sending Huntress customers a targeted and convincing message for a social engineering attack. Therefore, he said, customers should verify any incident-related messages through known channels only, and verify messages out-of-band on a separate channel before, say, transferring funds or handing over credentials.
