A breach at Klue, the Vancouver-based competitive and market intelligence platform, has become the newest flashpoint in a widening wave of SaaS supply-chain attacks after the cybercrime group Icarus used a compromised legacy credential to reach customer-connected cloud environments and steal Salesforce data from some of the most recognizable names in the security industry. Klue disclosed that attackers accessed its systems in June 2026 and obtained data from an undisclosed number of customers. Icarus has claimed responsibility and threatened to leak the stolen information unless a ransom is paid. Confirmed affected organizations include Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, Tanium, and Huntress.
What Happened
According to Klue, attackers gained entry through a compromised legacy credential tied to an integration service. That foothold let them obtain the tokens Klue uses to connect with customer environments, including Salesforce. Once those connected systems were reachable, the attackers pulled data directly from customer cloud applications without having to breach each victim company on its own.
Klue brought in CrowdStrike to support the investigation and disconnected integrations to halt further access. The company has not publicly stated how many customers were affected, how the credential was compromised, or whether it has received a formal ransom demand from Icarus. Huntress, one of the affected vendors, reported in its own write-up that it received a ransom note routed through an Australian company's email infrastructure that the attackers may have abused, and confirmed the compromise involved backend systems tied to software integrations and the collection of OAuth tokens used by Klue customers.
What Was Taken
Several affected companies have said the stolen records consisted primarily of business contact information: names, email addresses, phone numbers, job titles, and account-related details. While that data is less sensitive than credentials or financial records on its own, it is precisely the structured, high-confidence contact and account data that fuels targeted phishing, business email compromise, and social-engineering campaigns against enterprise sales and security teams.
The exact volume and full scope remain undisclosed. Klue has not confirmed how many customers were affected, and the list of named victims may still grow as the investigation continues. Salesforce served as the central repository for much of the exposed data, which means the records skew toward customer, prospect, sales, and account information.
Why It Matters
This is more than another vendor compromise. It is a case study in how attackers increasingly target the connective tissue of enterprise software: OAuth tokens, SaaS integrations, legacy credentials, and third-party apps that sit between companies and their most valuable customer data. By compromising a single platform trusted by many, Icarus reached a roster of major security vendors in one operation.
The irony is sharp. The victims here are cybersecurity companies, the organizations that sell protection against exactly this class of attack. It underscores that no enterprise is immune when the weak link is a trusted third-party integration rather than its own perimeter. Salesforce data is an especially attractive prize because so many organizations use it as the system of record for customer and revenue operations, turning one integration breach into a shortcut into highly organized business data across dozens of companies at once.
The Attack Technique
The intrusion followed a now-familiar supply-chain pattern. Rather than attacking hundreds of companies individually, the attackers compromised a single vendor that holds connections to many. The initial access vector was a compromised legacy credential associated with an integration service, a class of account that is often over-privileged, rarely rotated, and frequently excluded from modern authentication controls.
From that credential, the attackers harvested the OAuth tokens Klue uses to maintain persistent connections to customer Salesforce environments. OAuth tokens are powerful precisely because they bypass interactive login: a valid token can grant ongoing API-level access to connected data without triggering a password prompt or, in many configurations, multi-factor authentication. With tokens in hand, the actors queried customer cloud applications and exfiltrated records before integrations were severed. The reported abuse of a third party's email infrastructure to deliver the ransom note further illustrates the group's reliance on trusted intermediaries at multiple stages.
What Organizations Should Do
- Inventory every SaaS-to-SaaS integration touching Salesforce and other systems of record, and identify which third parties hold active OAuth tokens or connected-app access to your data.
- Audit and revoke legacy, service, and machine credentials that are over-privileged, unused, or unrotated; enforce short token lifetimes and scoped permissions on remaining integrations.
- Review Salesforce connected-app and OAuth grant logs for anomalous API access, unfamiliar IP ranges, and bulk export activity, and revoke any tokens that cannot be accounted for.
- Apply least-privilege to integration accounts so a single compromised connector cannot read entire customer, prospect, and account datasets.
- Treat the exposed contact data as live phishing and business-email-compromise fuel; warn affected staff and customers, and tighten verification on any inbound requests referencing accurate internal details.
- If you are a Klue customer or partner, assume potential exposure, disconnect and re-establish integrations with fresh credentials, and monitor for extortion outreach tied to the Icarus claims.
Sources: Klue Breach Exposes Salesforce Data Across Cybersecurity Vendors as Icarus Claims Attack