This Week's Cybersecurity Briefing
Nine cybersecurity companies just learned their own CRM data was stolen through a vendor most of their customers have never heard of. This week's biggest story isn't a flashy zero-day. It's a forgotten test credential that turned one small SaaS vendor into a backdoor for HackerOne, Huntress, Snyk, Tanium, and a dozen others. If you've ever shrugged off a "low-risk" third-party integration, this is the story that should change your mind.
Main Briefing
🔓 The Klue Breach: When Your Vendor's Vendor Gets Hacked
What happened? Klue, a Vancouver-based competitive intelligence platform, disclosed that attackers broke into its systems on June 11–12 using a compromised legacy credential — one originally created to prototype a third-party integration Klue never even shipped. Once inside, the attacker pushed a malicious code update that harvested OAuth tokens connecting Klue to customers' Salesforce instances. With valid tokens in hand, they didn't need passwords or MFA. They authenticated as Klue itself and ran automated Python scripts against the Salesforce REST API for roughly 24 hours straight, quietly pulling CRM records at scale.
Who's affected? At least a dozen organizations have confirmed impact, including HackerOne, Huntress, Snyk, Tanium, Jamf, Recorded Future, OneTrust, LastPass, BeyondTrust, and Sprout Social. Yes — the irony is not lost on anyone. Companies whose entire business is stopping this exact kind of attack got hit by it through their CRM vendor's vendor.
Timeline:
June 11–12: Attacker compromises Klue's integration infrastructure and harvests OAuth tokens
June 13: Klue disables integrations with Salesforce, HubSpot, Slack, Zoom, and others; issues a vague customer alert
June 16: Extortion emails land in victims' inboxes, sent from a hacked Australian retailer's mail servers
June 19: Klue's CEO publicly confirms the breach; the extortion group "Icarus" claims credit
June 22: Icarus begins posting stolen data on its leak site
MITRE ATT&CK angle: This maps cleanly to T1199 (Trusted Relationship) for the initial vendor compromise and T1528 (Steal Application Access Token) for the OAuth harvesting — textbook SaaS supply-chain abuse, not a flashy exploit.
Why it matters more than the headlines suggest: The stolen data itself was "just" CRM info — contacts, pricing, sales notes. No passwords, no source code, no customer secrets. But that's exactly what makes this dangerous to overlook. ReliaQuest, which first flagged the activity, called this the same OAuth-abuse playbook behind 2025's Salesloft Drift and Gainsight incidents — and warned it's "repeatable, effective, and now widely adopted." Attackers have realized that compromising one mid-tier SaaS vendor with broad, lightly-monitored OAuth access beats brute-forcing a hundred individual companies. Non-human identities — service accounts, integration tokens, abandoned test credentials — are now a bigger blind spot than phished employees.
Lessons learned:
Dead credentials are still live credentials. Klue's incident root cause was a forgotten integration test account that was never deactivated. Audit and kill what you don't use.
OAuth tokens deserve the same scrutiny as passwords — rotate them, scope them, log them, and treat unusual API query volume as a real signal.
Your vendor risk assessment needs to include your vendor's vendors. You can't audit Klue, but you can audit every connected app with access to your Salesforce.
Tool Spotlight
🔧 TruffleHog
An open-source secrets scanner that hunts for exposed API keys, tokens, and credentials across git history, filesystems, S3 buckets, and CI/CD logs — with over 700 detectors that actively verify whether a found credential still works, instead of just flagging look-alike strings.
Who should use it: Bug bounty hunters scanning for leaked tokens in public repos, blue teamers auditing internal codebases, and anyone doing a credential cleanup after a story like this week's
Why it's useful: Given that this week's breach traces back to one forgotten, still-active credential, TruffleHog is exactly the kind of tool that catches that mistake before an attacker does
Learning Resource
📘 ReliaQuest's Threat Spotlight: "The Trusted Integration That Wasn't"
ReliaQuest's writeup is the most technical public breakdown of the Klue incident — it walks through the actual attacker behavior: authenticating through the compromised service account, the Python-urllib user-agent fingerprint, the reconnaissance-then-rapid-exfiltration query pattern against Salesforce's /sobjects and /query endpoints. If you want to understand what SaaS OAuth abuse actually looks like at the log level instead of just the press-release level, this is the one to read.
Quick Hits
🛑 CISA: Patch Lantronix EDS5000 now. A 9.8-severity command injection flaw (CVE-2025-67038) in these serial-to-IP industrial gateways is being actively exploited in the wild — attackers appear to have reverse-engineered the patch itself to build the exploit.
🌐 Ubiquiti UniFi OS hit with a 10.0. Three chainable flaws (CVE-2026-34908/34909/34910) let an unauthenticated attacker fully compromise UniFi OS devices remotely. Patch to Server version 5.0.8+.
🚓 Operation Endgame takes down SocGholish, Amadey, and StealC. Europol-led action across six countries seized 326 servers, 142 domains, $47M in crypto, and 27 million stolen credentials — disrupting the malware "assembly line" that feeds ransomware gangs their initial access.
🕵️ A new backdoor named Mistic is targeting insurance, education, and IT firms, linked to initial access broker KongTuke. It runs entirely in memory with a self-deleting kill switch — built for long-term, low-visibility access.
💳 A custom credential sniffer has harvested 110M+ logins since February, according to SecurityWeek — a reminder that infostealer campaigns rarely make headlines until the data shows up for sale.
Upgrade for the Full Picture
The free rundown covers what happened. Premium members get the part that actually changes how you defend: a full technical breakdown of the Klue OAuth abuse chain mapped to detection queries you can run today, plus this week's updated OAuth & SaaS Integration Security Checklist — built for exactly this kind of incident.