



























A sophisticated supply chain attack on market intelligence platform Klue has compromised Salesforce data across at least nine organizations, including several high-profile cybersecurity firms, with the newly emerged Icarus extortion group claiming responsibility and threatening to release stolen data.
The attack began on June 11–12, 2026, when threat actors gained unauthorized access to Klue’s integration infrastructure using a compromised legacy credential tied to an integration service account.
Leveraging that foothold, the attackers pushed a malicious code update to harvest OAuth tokens, the authorization keys that allow Klue to connect with customers’ third-party platforms, most critically Salesforce.
Klue identified the unauthorized activity on June 12 and notified customers the same day, immediately revoking affected credentials and disabling integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.
Once inside, attackers abused the Salesforce REST API to exfiltrate large volumes of CRM data, executing nearly 1,000 API queries in just 15 minutes during peak activity, with sustained extraction windows lasting over 6 hours, according to threat intelligence firm ReliaQuest.
The stolen data was primarily business contact information, names, email addresses, job titles, phone numbers, business addresses, sales account data, pricing quotes, and sales communications.
No core platform data, product telemetry, threat intelligence, passwords, or payment card information was reported compromised by any of the affected organizations.
At least nine organizations have publicly disclosed the impact of the breach:
The cybercrime group Icarus publicly claimed the attack on its leak platform, stating it obtained data from multiple Klue partner Salesforce environments.
The group issued a ransom demand, threatening to release the stolen data unless Klue complied. Huntress investigators matched indicators from its own compromised environment to Icarus infrastructure, expressing high confidence in the attribution. A ransom note was reportedly sent using an email address linked to an Australian company, potentially compromised as part of the operation.
Klue engaged CrowdStrike for incident response and forensic investigation, notified law enforcement, and is conducting a full review of credential management, monitoring capabilities, and deployment processes.
CEO Jason Smith acknowledged the incident publicly on June 22, characterizing it as “a deliberate criminal act,” and committed to transparency with customers through direct updates, emails, and 1:1 meetings.
All affected companies stressed that the compromise was isolated to the Klue-Salesforce integration layer and did not involve their core platforms or internal infrastructure.
The Klue breach underscores the cascading risk of OAuth-based supply chain attacks: a single compromised integration credential can unlock sensitive data across dozens of interconnected enterprise environments simultaneously.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Guru Baranhttps://cybersecuritynews.com
Gurubaran KS is a cybersecurity analyst, and Journalist with a strong focus on emerging threats and digital defense strategies. He is the Co-Founder and Editor-in-Chief of Cyber Security News, where he leads editorial coverage on global cybersecurity developments.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。