Link11 has become aware of a security incident at the market intelligence provider klue which, according to the information available to us, affected a broader group of klue customers. Klue was connected to its customers’ Salesforce CRM environments through OAuth-based API integrations; Link11 also used such an integration. Based on the analysis conducted so far, attackers abused valid integration credentials associated with klue to query certain CRM data from connected Salesforce CRM environments through existing integration permissions. At Link11, this affected certain business contact and sales-related CRM data.
None of Link11’s core systems, products, operational security infrastructure or customer systems were affected by the incident.
What Happened?
Klue was connected to Salesforce CRM environments of multiple customers through OAuth-based API integrations; Link11 also used such an integration. Attackers abused valid integration credentials associated with klue to access certain CRM data through the existing integration permissions. At Link11, this affected certain business contact and sales-related CRM data in the Salesforce CRM environment.
What data is affected?
The findings to date indicate that the access was limited to certain CRM data in Link11’s Salesforce CRM environment. The affected data includes business contact information such as names, business email addresses and phone numbers, as well as company, account and sales-related CRM information.
We currently have no indication that special categories of personal data within the meaning of Article 9 GDPR are affected.
What have we done?
After becoming aware of the incident, we established a cross-functional incident response task force with representatives from IT, Security, Legal and Data Protection to coordinate the technical analysis, containment measures, data protection assessment and communications. The affected klue/Salesforce integration was disabled and removed; all OAuth/API tokens associated with the integration in our environment were revoked.
The incident was reported to the relevant data protection authority within the required timeframe. In parallel, we are reviewing our third-party integrations with regards to permissions, token lifecycles, monitoring and governance, and are implementing additional technical and organizational controls.
“This incident highlights the importance of maintaining strong controls over SaaS and third-party integrations. There is no indication that Link11 core systems, products, operational security infrastructure or customer systems were affected. We continuously review our third-party controls and strengthen them where additional measures are required,” says Jens-Philipp Jung, CEO of Link11.
What this means?
No technical action is currently required for Link11 products or customer systems. However, affected individuals and business contacts should remain alert to unexpected emails, calls or messages referring to Link11, klue, Salesforce or this incident.
Please do not open suspicious links or attachments, and do not share access credentials. If you are unsure whether a message is legitimate, please contact us directly at compliance@link11.com.
