The cybersecurity industry is dealing with an uncomfortable reality this week. A breach at Klue, a competitive intelligence and market research platform used by many security vendors, has resulted in stolen data at a growing list of well-known cybersecurity companies.
According to TechCrunch, firms including Huntress, HackerOne, Jamf, Recorded Future, and Tanium have all confirmed that data was stolen as a result of the earlier Klue compromise. The breach at Klue itself was first disclosed weeks ago, but the full scope of downstream impact is only now becoming clear.
What Happened at Klue
Klue provides competitive intelligence services to cybersecurity vendors. Companies use the platform to track competitor activity, monitor product launches, and analyze market positioning. This means Klue holds sensitive business data about its clients, including internal sales strategies, product roadmaps, and customer information.
The attackers gained access to Klue’s systems and, through stolen OAuth tokens, were able to reach into Salesforce CRM instances belonging to Klue’s customers. A separate report from CSO Online confirmed that the breach exposed Salesforce CRM data through these compromised OAuth tokens, giving the attackers access to customer relationship management data across multiple firms.
Which Companies Were Affected
The confirmed victims so far read like a who’s who of the cybersecurity industry:
- Huntress: A managed detection and response platform used by thousands of MSPs
- HackerOne: The bug bounty and vulnerability disclosure platform
- Jamf: Apple device management and security company
- Recorded Future: Threat intelligence firm acquired by Mastercard
- Tanium: Endpoint management and security company
SecurityWeek reported that even more cybersecurity firms have disclosed their involvement in the breach since the initial reports surfaced. The attackers have reportedly threatened to release stolen data publicly, raising the stakes for every affected organization.
The OAuth Token Problem
What makes this breach particularly concerning is the use of stolen OAuth tokens. OAuth tokens allow applications to access data in cloud services like Salesforce without needing a username and password. Once an attacker obtains a valid token, they can move between systems and access data that the legitimate application was authorized to see.
This is not a new attack vector, but it highlights a persistent weakness in how enterprises manage third-party integrations. Many organizations grant broad OAuth permissions to SaaS tools without regularly auditing which tokens are active, what they can access, or whether they should still be trusted.
What Makes This Different From Other Breaches
Cybersecurity companies getting breached is not unprecedented, but the Klue incident stands out for a few reasons. First, the affected companies are the ones that other businesses trust to protect them. When security vendors themselves become victims, it erodes confidence in the entire ecosystem.
Second, the data at risk includes competitive intelligence and CRM data, which can expose customer lists, deal pipelines, and strategic plans. For companies in a competitive market, this kind of information leakage can be just as damaging as a traditional data breach.
Industry Response
Several of the affected companies have issued statements acknowledging the breach and outlining their response plans. HackerOne, as a bug bounty platform, is particularly sensitive to this kind of incident given that it handles vulnerability reports from security researchers worldwide.
The breach is likely to accelerate conversations around zero-trust architecture and stricter OAuth token management across the cybersecurity industry. Companies that sell security products will face increased scrutiny from customers who want assurance that their data is protected, even from the vendors they pay to protect it.
What Affected Customers Should Do
Organizations that use any of the affected platforms should monitor for unusual activity in their own Salesforce instances and other connected systems. Rotating OAuth tokens, reviewing third-party app permissions, and checking for unauthorized data access in Salesforce audit logs are all reasonable steps.
Frequently Asked Questions
What is Klue and why does it have data from cybersecurity companies?
Klue is a competitive intelligence platform that cybersecurity vendors use to track competitor activity, market trends, and sales strategies. Companies share business data with Klue to get insights, which is why the breach affected so many downstream customers.
How did the attackers get access to Salesforce CRM data?
The attackers used stolen OAuth tokens that Klue’s integrations had with Salesforce instances. OAuth tokens allow applications to access cloud services without passwords, and once stolen, they grant the same access the original application had.
Should I stop using the affected cybersecurity products?
The breach was at Klue, not directly at the security products themselves. However, you should check whether your organization’s data was affected and follow any guidance the affected vendors provide. Most have already begun notifying impacted customers.
How can companies prevent OAuth token breaches?
Regularly audit active OAuth tokens, implement token expiration policies, use the principle of least privilege for permissions, and monitor for unusual API access patterns in cloud services. Tools like Cloud Access Security Brokers (CASBs) can help.
Has any stolen data been leaked publicly?
As of the latest reports, the attackers have threatened to release data but no public leak has been confirmed. Law enforcement and the affected companies are monitoring the situation closely.
