The vendor you never signed with had a key to your CRM
A dead 2022 credential at a sales-intelligence company you have probably never heard of exposed CRM records belonging to customers of LastPass, Snyk, Gong, Jamf and dozens more.
Klue sells competitive-intelligence software to sales teams. You almost certainly never bought it. Your company's data may have been in it anyway.
On June 12 Klue detected an intruder in the infrastructure running its integrations. The attacker had logged in with a credential Klue issued to a third party in 2022 for a pilot. The pilot ended. The credential did not. Once inside, the attacker pushed code that harvested the OAuth tokens Klue's customers had granted it — the tokens that let Klue read their CRMs.
The tokens worked. Data was pulled out of connected Salesforce environments over a window of roughly a day. Klue revoked the tokens, severed connections to Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive and Slack, and hired CrowdStrike. Salesforce disabled the Klue Battlecards connection on June 17 and said the fault was not in its own platform.
The victim list is made of vendors you probably do pay: LastPass, Snyk, HackerOne, Gong, Sprout Social, Jamf, OneTrust, Recorded Future, Tanium, Huntress, BeyondTrust, Deel. Klue's public statement gives no total. SecurityWeek reports Klue told customers privately that 195 were affected; treat that number as unconfirmed.
Scope, precisely
No password vaults were taken. LastPass says its own infrastructure, vaults included, was untouched. What left was commercial data: names, emails, phone numbers, addresses, job titles, price quotes, support case records, sales messages.
What to actually do
- Recalibrate what "legitimate" looks like. The stolen set is pretext material of unusual quality — real ticket histories, real quoted prices. Expect mail that cites your open case correctly. "They know things only my vendor would know" has stopped being evidence of anything. Worse, Klue reportedly told customers Icarus was itself hacked and the data has moved to a second extortion crew, so more than one party holds it.
- Audit your OAuth grants this week. Google Workspace admin, Slack's app management, Salesforce's connected-app OAuth usage, Microsoft 365 enterprise applications. Revoke what you no longer use.
Every "Connect to Google Drive" click hands a company a token with this radius. One forgotten credential at that company is the whole chain.
Why it matters
Your vendors' vendors hold live tokens to your data, and you have no contract, no audit right and no visibility into any of them — a four-year-old unused credential at a company you never heard of was enough to expose your contact details, support tickets and quoted pricing. The one control you do own is the list of OAuth grants in your own admin consoles.
Sources
- An Update on the Recent Klue Security Incident — Klue (primary)
- Klue says hackers stole credential from 2022 that led to customer data breaches — TechCrunch
- Password manager maker LastPass says hackers stole customer support case data during Klue breach — TechCrunch
- Klue investigating supply chain attack on Salesforce integrations — Cybersecurity Dive
- Klue OAuth breach linked to 'Icarus' Salesforce data theft attacks — BleepingComputer
- More Klue Breach Victims Identified as Hackers Get Hacked — SecurityWeek
- Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data — The Hacker News
Reported by Software Crit from the sources above. Every story is confirmed against at least two independent publishers before publication.
Get the weekly roundup
Honest reviews, practical comparisons and the tool news that actually changes your stack.