Klue, a competitive intelligence platform used by dozens of cybersecurity companies, has suffered a supply chain breach that exposed OAuth tokens, Salesforce data, and internal credentials. The incident, confirmed by multiple affected firms, is one of the more ironic cybersecurity breaches in recent memory: a company that helps track competitor threats became a threat vector itself.
What Happened in the Klue Breach
According to reports from SecurityWeek and Rescana, the attack unfolded in multiple stages. Attackers first gained access to Klue’s infrastructure, then used that access to harvest OAuth tokens that Klue’s customers had connected to the platform. Those tokens provided a direct path into Salesforce instances, email systems, and internal dashboards at several cybersecurity firms.
The breach was initially detected when security researchers noticed anomalous API activity originating from Klue’s IP ranges. By the time affected companies were notified, attackers had already exfiltrated data from at least six organizations.
Which Companies Were Affected?
Rescana’s incident report identified several affected companies but stopped short of naming all of them publicly. What is known is that the victims include mid-tier cybersecurity vendors that used Klue to monitor competitor product launches, pricing changes, and market positioning. The data stolen includes:
- Salesforce CRM records with client contact information
- Internal product roadmaps and strategy documents
- Employee credentials and API keys stored in Klue’s platform
- OAuth tokens that could be used to access third-party services
The irony is sharp. These companies used Klue to gather intelligence on their competitors. The breach gave attackers access to that same intelligence, plus the internal operations of the security firms themselves.
The Supply Chain Problem
The Klue incident highlights a growing problem in the cybersecurity industry: supply chain risk. Companies that build security tools often connect them deeply into their own infrastructure through API integrations, OAuth tokens, and shared credentials. When one of those tools is compromised, the blast radius extends to every system it touches.
This is not a new lesson. The SolarWinds attack in 2020, the Kaseya VSA ransomware incident in 2021, and the MOVEit breach in 2023 all demonstrated how a single compromised vendor can ripple across hundreds of organizations. The Klue breach shows the pattern is still repeating.
How Attackers Got In
Initial reports suggest the attackers exploited a misconfigured API endpoint in Klue’s platform that was not covered by the company’s regular penetration testing. The endpoint allowed unauthenticated access to token exchange functions, which the attackers used to mint new OAuth tokens using existing session data.
From there, the attackers used the stolen OAuth tokens to access Salesforce APIs, pulling data without triggering the usual login alerts that would accompany a password-based breach. OAuth tokens bypass multifactor authentication, which is part of why they are such attractive targets.
What Affected Companies Are Doing
The impacted cybersecurity firms have taken several steps in response:
- Revoked all active OAuth tokens issued through Klue integrations
- Audit logs are being reviewed for unauthorized data access
- Affected clients are being notified on a case-by-case basis
- Internal API access policies are being tightened across the board
SecurityWeek reports that at least two of the affected companies have hired external forensics firms to conduct a full breach assessment. One company reportedly discovered that attackers had access to its systems for nearly three weeks before detection.
Lessons for Security Teams
The Klue breach is a reminder that every SaaS tool connected to your infrastructure is a potential attack vector. OAuth tokens, in particular, are high-value targets because they provide persistent access without requiring re-authentication. Organizations should:
- Regularly audit and rotate OAuth tokens issued to third-party services
- Apply the principle of least privilege to all API integrations
- Monitor API traffic for unusual patterns, even from trusted vendor IPs
- Maintain an inventory of all third-party tools with access to sensitive systems
Klue has not yet issued a public statement about the breach. The company’s website was briefly taken offline following the initial reports but has since been restored with a message saying they are “investigating a security incident.”
Frequently Asked Questions
What is Klue?
Klue is a competitive intelligence platform used primarily by cybersecurity companies to track competitor product launches, pricing, and market moves. It integrates with tools like Salesforce, Slack, and various CRM systems.
How many companies were affected by the Klue breach?
At least six cybersecurity firms have been identified as affected, though the total number may be higher. Rescana’s report indicates the breach impacted organizations across North America and Europe.
What data was stolen in the Klue breach?
Attackers gained access to Salesforce CRM records, internal product roadmaps, employee credentials, and OAuth tokens that could be used to access third-party services.
Why are OAuth tokens dangerous when stolen?
OAuth tokens provide persistent access to connected services without requiring a password or multifactor authentication. Stolen tokens can be used to access data and systems as if the attacker were an authorized user.
