A sophisticated supply chain attack on market intelligence platform Klue has compromised Salesforce data across at least nine organizations, including several high-profile cybersecurity firms, with the newly emerged Icarus extortion group claiming responsibility and threatening to release stolen data.
The attack began on June 11–12, 2026, when threat actors gained unauthorized access to Klue’s integration infrastructure using a compromised legacy credential tied to an integration service account.
Leveraging that foothold, the attackers pushed a malicious code update to harvest OAuth tokens, the authorization keys that allow Klue to connect with customers’ third-party platforms, most critically Salesforce.
Klue identified the unauthorized activity on June 12 and notified customers the same day, immediately revoking affected credentials and disabling integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.
Salesforce Data Exfiltration at Scale
Once inside, attackers abused the Salesforce REST API to exfiltrate large volumes of CRM data, executing nearly 1,000 API queries in just 15 minutes during peak activity, with sustained extraction windows lasting over 6 hours, according to threat intelligence firm ReliaQuest.
The stolen data was primarily business contact information, names, email addresses, job titles, phone numbers, business addresses, sales account data, pricing quotes, and sales communications.
No core platform data, product telemetry, threat intelligence, passwords, or payment card information was reported compromised by any of the affected organizations.
At least nine organizations have publicly disclosed the impact of the breach:
- HackerOne — Salesforce instance data accessed via the Klue integration
- Huntress — Business contacts, price quotes, and sales-related data were stolen; Huntress attributed the attack to the Icarus threat actor with high confidence.
- Jamf — Salesforce CRM data accessed; no impact on products or customer services.
- OneTrust — Notified customers of Salesforce data exposure.
- Recorded Future — Client contact names, email addresses, and potential contract information impacted.
- Snyk, Sprout Social, Insurity, Tanium — All confirmed Salesforce data accessed through the Klue integration.
- Gong — Internal licensed user data, including names, titles, and emails, accessed; no call recordings or customer transcripts affected.
The cybercrime group Icarus publicly claimed the attack on its leak platform, stating it obtained data from multiple Klue partner Salesforce environments.
The group issued a ransom demand, threatening to release the stolen data unless Klue complied. Huntress investigators matched indicators from its own compromised environment to Icarus infrastructure, expressing high confidence in the attribution. A ransom note was reportedly sent using an email address linked to an Australian company, potentially compromised as part of the operation.
Klue engaged CrowdStrike for incident response and forensic investigation, notified law enforcement, and is conducting a full review of credential management, monitoring capabilities, and deployment processes.
CEO Jason Smith acknowledged the incident publicly on June 22, characterizing it as “a deliberate criminal act,” and committed to transparency with customers through direct updates, emails, and 1:1 meetings.
All affected companies stressed that the compromise was isolated to the Klue-Salesforce integration layer and did not involve their core platforms or internal infrastructure.
The Klue breach underscores the cascading risk of OAuth-based supply chain attacks: a single compromised integration credential can unlock sensitive data across dozens of interconnected enterprise environments simultaneously.
