A recent supply chain attack targeting Klue, a market intelligence platform, has led to unauthorized access to Salesforce data across at least nine organizations, including several prominent cybersecurity companies. The Icarus extortion group has claimed responsibility for the breach and is threatening to release the stolen information.
The incident began between June 11 and 12, 2026, when attackers exploited a compromised legacy credential associated with Klue’s integration service account. This access allowed them to inject malicious code designed to harvest OAuth tokens—authorization keys that enable Klue to connect with customers’ third-party platforms, notably Salesforce.
Upon detecting the unauthorized activity on June 12, Klue promptly informed its customers, revoked the affected credentials, and disabled integrations with several platforms, including Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.
Extent of Data Exfiltration
The attackers utilized the Salesforce REST API to extract substantial amounts of Customer Relationship Management (CRM) data. Reports indicate that nearly 1,000 API queries were executed within a 15-minute peak period, with data extraction activities continuing for over six hours. The compromised data primarily includes business contact details such as names, email addresses, job titles, phone numbers, business addresses, sales account information, pricing quotes, and sales communications. Importantly, no core platform data, product telemetry, threat intelligence, passwords, or payment card information were reported as compromised.
The following organizations have publicly acknowledged the impact of the breach:
- HackerOne: Unauthorized access to Salesforce instance data via the Klue integration.
- Huntress: Theft of business contacts, price quotes, and sales-related data; attributed the attack to the Icarus group with high confidence.
- Jamf: Access to Salesforce CRM data; confirmed no impact on products or customer services.
- OneTrust: Notified customers about the exposure of Salesforce data.
- Recorded Future: Compromise of client contact names, email addresses, and potential contract information.
- Snyk, Sprout Social, Insurity, Tanium: All confirmed unauthorized access to Salesforce data through the Klue integration.
- Gong: Access to internal licensed user data, including names, titles, and emails; confirmed that no call recordings or customer transcripts were affected.
Threat Actor and Response
The Icarus cybercrime group has publicly claimed responsibility for the attack, stating that it obtained data from multiple Klue partner Salesforce environments. The group has issued a ransom demand, threatening to release the stolen data unless Klue complies. Huntress investigators have linked indicators from their compromised environment to Icarus infrastructure, expressing high confidence in this attribution. A ransom note was reportedly sent using an email address associated with an Australian company, which may have been compromised as part of the operation.
In response, Klue has engaged CrowdStrike for incident response and forensic investigation, notified law enforcement, and is conducting a comprehensive review of credential management and integration security practices.
This incident underscores the critical importance of securing third-party integrations and the potential risks they pose to organizations’ data security. Companies must rigorously assess and monitor their supply chain partners to prevent similar breaches. Additionally, the rapid detection and response by Klue highlight the necessity of having robust incident response plans in place to mitigate the impact of such attacks.
