Security vendor and Klue customer Huntress published its own investigation filling in that gap. The attackers had pushed a code update to a Klue integration system designed to harvest customers’ OAuth tokens, Huntress wrote. Klue staff later found the ‘token-theft code’ and removed it, Huntress added in its investigation report.
The initial entry point was a credential Klue had created to prototype an integration it later dropped but never deactivated. “The threat actor seems to have leveraged a long-disused but still active credential to conduct the initial compromise — one that was originally created by Klue for them to prototype a third-party integration they later abandoned,” Huntress said. The attacker then pivoted through Klue’s infrastructure, collected customer tokens and used them to query those customers’ CRM systems before exfiltrating the data, the firm added.
Klue shut down integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive and Slack and issued a general alert on June 13, according to Huntress. That alert “did not indicate which customers were impacted,” the firm noted. It did not name any affected customers.
