BeyondTrust, LastPass Impacted by Klue-Salesforce Incident

  Rassegna Stampa, Security
image_pdfimage_print

LastPass is the latest cybersecurity firm to have disclosed the impact from the Klue hack, which resulted in unauthorized access to customers’ Salesforce instances.

A threat actor calling itself Icarus used a compromised legacy credential to access Klue’s systems and generate OAuth tokens to breach third-party platforms Klue integrates with, such as Salesforce.

Icarus then accessed the connected Salesforce instances and exfiltrated data in bulk, using automated scripts. Salesforce and Gong have disabled the Klue integration in response to the attack, and over a dozen organizations have already confirmed the impact.

Incident notifications from the affected companies reveal that the attackers accessed business data accessible through the Klue integration, and that no internal systems were compromised.

LastPass’s notice follows the same lines: “The information accessed was limited to standard business contact information and related customer relationship management (CRM) data, including customer names, phone numbers, email addresses, and physical addresses, as well as support case data and sales-related data.”

The company says it has discontinued access to Klue, rotated exposed tokens, notified law enforcement, and launched an investigation together with Klue and Salesforce.

Advertisement. Scroll to continue reading.

“It is important to note that the scope of this incident is limited to only those systems that integrate with Klue’s application. LastPass products, services, and infrastructure were not impacted in any way, and customer vaults remain secure. There is also no evidence the threat actor accessed any Gong-related data,” LastPass said.

This week, in addition to LastPass, 8×8 and Pendo announced they were affected.

Late last week, HackerOne, Huntress, Insurity, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium disclosed the impact from the attack. BeyondTrust also said business contact and sales-related information was stolen from its Salesforce instance, but the notification went unnoticed.

On its Tor-based leak site, Icarus has listed several organizations as having their Salesforce data stolen, including Swiss AI communications solutions provider Gms-net. SecurityWeek has emailed the technology company for a statement and will update this article if it responds.

Icarus’s website is currently down but, before becoming inaccessible, it listed at least four other companies that have yet to publicly disclose being affected by the Klue incident, which brings the number of victims to roughly 15.

Per Huntress’s estimates, however, numerous other Klue customers were likely impacted by the data breach and are expected to come forward.

Related: North Korean Hackers Blamed for Mastra NPM Supply Chain Attack

Related: OpenAI Refocuses Cybersecurity Efforts on Patching Over Discovery

Related: Russian Initial Access Broker Behind FortiBleed Campaign

Related: Canadian Electricity Provider London Hydro Discloses Data Breach

https://www.securityweek.com/beyondtrust-lastpass-impacted-by-klue-salesforce-incident/