Critical Klue Vulnerability Exposes Data of Multiple Cybersecurity Firms

Key Takeaways

• A sophisticated supply chain attack targeted market intelligence platform Klue, leading to the compromise of Salesforce data from at least nine organizations, including several prominent cybersecurity firms.
• The Icarus extortion group claimed responsibility for the breach, which initiated between June 11–12, 2026, through a compromised legacy credential.
• Attackers leveraged OAuth tokens to exfiltrate extensive CRM data, primarily business contact information and sales-related records.
• Klue swiftly responded by revoking credentials and disabling integrations, engaging CrowdStrike for forensics, and notifying law enforcement.
• No core platform data, passwords, or payment information was reported compromised by the affected organizations, and a fix is available through Klue’s immediate actions.

Salesforce data belonging to a minimum of nine organizations, among them several high-profile cybersecurity companies, has been compromised following a sophisticated supply chain attack on the market intelligence platform Klue. The newly identified Icarus extortion group has taken credit for the breach and is threatening to release the pilfered information.

The incident unfolded between June 11 and June 12, 2026, when threat actors successfully gained unauthorized entry into Klue’s integration infrastructure. This initial access was facilitated by a compromised legacy credential associated with an integration service account.

Once inside, the attackers exploited their access to deploy a malicious code update. This update was designed to harvest OAuth tokens, which are crucial authorization keys enabling Klue to connect with various third-party platforms utilized by its customers, with Salesforce being a primary target.

Klue detected the unauthorized activity on June 12 and promptly informed its customers on the same day. In response, the company immediately revoked all affected credentials and disabled integrations with key platforms including Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.

Salesforce Data Exfiltration at Scale

After establishing a presence, the attackers exploited the Salesforce REST API to exfiltrate a significant volume of CRM data. During peak activity, nearly 1,000 API queries were executed within a mere 15 minutes, with sustained data extraction periods extending over six hours, according to analysis from threat intelligence firm ReliaQuest.

The exfiltrated data predominantly consisted of business contact details, including names, email addresses, job titles, phone numbers, and business addresses. Additionally, sales account data, pricing quotes, and sales communications were compromised.

Crucially, none of the affected organizations reported any compromise of core platform data, product telemetry, threat intelligence, passwords, or payment card information.

At least nine organizations have publicly confirmed the impact of the breach:

• HackerOne: Salesforce instance data was accessed via the Klue integration.
• Huntress: Business contacts, price quotes, and sales-related data were stolen. Huntress confidently attributed the attack to the Icarus threat actor.
• Jamf: Salesforce CRM data was accessed, with no reported impact on products or customer services.
• OneTrust: Notified customers regarding Salesforce data exposure.
• Recorded Future: Client contact names, email addresses, and potential contract information were impacted.
• Snyk, Sprout Social, Insurity, Tanium: All confirmed Salesforce data access through the Klue integration.
• Gong: Internal licensed user data, including names, titles, and emails, was accessed. No call recordings or customer transcripts were affected.

The cybercrime collective Icarus publicly asserted responsibility for the attack on its leak platform, claiming to have acquired data from multiple Klue partner Salesforce environments.

The group issued a ransom demand, threatening to release the stolen data unless Klue complied. Investigators at Huntress identified indicators from their own compromised environment that matched Icarus infrastructure, leading to a high-confidence attribution. A ransom note was reportedly delivered via an email address associated with an Australian company, which may have been compromised as part of the operation.

Klue has engaged CrowdStrike for incident response and forensic investigation, informed law enforcement, and is conducting a thorough review of its credential management, monitoring capabilities, and deployment processes.

Klue CEO Jason Smith publicly addressed the incident on June 22, describing it as “a deliberate criminal act.” He pledged full transparency with customers through direct communications, emails, and one-on-one meetings.

All organizations affected by the breach emphasized that the compromise was isolated to the Klue-Salesforce integration layer and did not extend to their core platforms or internal infrastructure.

This Klue breach serves as a stark reminder of the escalating risks associated with OAuth-based supply chain attacks. A single compromised integration credential can effectively unlock sensitive data across numerous interconnected enterprise environments simultaneously.

What You Should Do

• Immediately review and rotate all OAuth tokens and API keys associated with third-party integrations, especially those connecting to critical CRM platforms like Salesforce.
• Implement multi-factor authentication (MFA) for all service accounts and privileged access points to integration infrastructure.
• Conduct a thorough audit of legacy credentials and ensure that all inactive or no longer needed credentials are revoked.
• Enhance monitoring and logging for API activity, specifically focusing on unusual or high-volume data exfiltration attempts.
• Communicate proactively with your vendors about their security posture and incident response plans, particularly for services that handle sensitive customer data.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.