Secure Bulletin Navigating the cyber sea with knowledge
Home > Articolo > Klue Supply Chain Hack Exposes Salesforce Data at Nine Cybersecurity Companies
Klue Supply Chain Hack Exposes Salesforce Data at Nine Cybersecurity Companies
Read Time:3 Minute, 36 Second

A sophisticated supply chain attack targeting market intelligence platform Klue has compromised Salesforce CRM data across at least nine organizations, including several prominent cybersecurity vendors. The newly emerged Icarus extortion group has claimed responsibility and is threatening to release the stolen data unless a ransom is paid.

How the Attack Unfolded

The breach began on June 11–12, 2026, when threat actors obtained unauthorized access to Klue’s integration infrastructure using a compromised legacy credential tied to a service account. Leveraging that initial foothold, the attackers pushed a malicious code update designed to harvest OAuth tokens — the authorization keys that enable Klue to connect with customers’ third-party platforms, most critically Salesforce.

Klue detected the unauthorized activity on June 12 and notified affected customers the same day, immediately revoking the compromised credentials and disabling integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.

Industrial-Scale API Exploitation

Once inside the victim environments, the attackers abused the Salesforce REST API to exfiltrate large volumes of CRM data with alarming efficiency. According to threat intelligence firm ReliaQuest, the attackers executed nearly 1,000 API queries in just 15 minutes during peak activity, with sustained extraction windows lasting over six hours.

The stolen data consisted primarily of business contact information: names, email addresses, job titles, phone numbers, business addresses, sales account records, pricing quotes, and sales communications. No core platform data, product telemetry, threat intelligence, passwords, or payment card information was reported compromised at any of the affected organizations.

Affected Organizations

At least nine high-profile organizations have publicly disclosed the impact of the breach:

  • HackerOne — Salesforce instance data accessed via the Klue integration.
  • Huntress — Business contacts, price quotes, and sales-related data stolen; attributed to Icarus with high confidence.
  • Jamf — Salesforce CRM data accessed; no impact on products or customer services.
  • OneTrust — Customers notified of Salesforce data exposure.
  • Recorded Future — Client contact names, email addresses, and potential contract information impacted.
  • Snyk, Sprout Social, Insurity, and Tanium — All confirmed Salesforce data accessed through the Klue integration.
  • Gong — Internal licensed user data including names, titles, and emails accessed; no call recordings or customer transcripts affected.

The Icarus Extortion Group

The cybercrime group Icarus publicly claimed responsibility on its leak platform, stating it obtained data from multiple Klue partner Salesforce environments. The group issued a ransom demand, threatening to release the stolen data unless Klue complied. Huntress investigators matched indicators from its own compromised environment to Icarus infrastructure, expressing high confidence in the attribution.

A ransom note was reportedly sent using an email address linked to an Australian company, potentially itself compromised as part of the operation. This detail suggests Icarus leverages third-party infrastructure to obscure its true origin — a hallmark of more sophisticated extortion groups.

Incident Response

Klue engaged CrowdStrike for incident response and forensic investigation and notified law enforcement. The company is conducting a full review of its credential management, monitoring capabilities, and deployment processes. CEO Jason Smith acknowledged the incident publicly on June 22, characterizing it as “a deliberate criminal act,” and committed to transparency with customers through direct updates, emails, and one-on-one meetings.

All affected companies stressed that the compromise was isolated to the Klue-Salesforce integration layer and did not involve their core platforms or internal infrastructure. Salesforce itself confirmed it had disabled the Klue Battlecards app integration after detecting unusual activity.

What This Means for Enterprise SaaS Security

The Klue breach illustrates the cascading risk inherent in OAuth-based supply chain attacks. A single compromised integration credential can unlock sensitive data across dozens of interconnected enterprise environments simultaneously — without triggering alerts, since the access pattern appears legitimate from the victim’s Salesforce audit logs.

Organizations relying on third-party integration platforms should adopt several defensive measures:

  • Regularly audit OAuth application permissions and revoke integrations that are no longer in active use.
  • Monitor Salesforce API access logs for unusually high query volumes or off-hours bulk extraction activity.
  • Apply least-privilege scopes when granting OAuth access to third-party services.
  • Require multi-factor authentication on all service accounts, including legacy integration accounts.
  • Establish vendor security review processes that include questions about credential management and incident response capabilities.

As enterprise SaaS ecosystems grow more interconnected, the security of any single organization’s data is only as strong as the weakest link in its entire integration supply chain.

Share: Twitter  |  Facebook  |  LinkedIn
Join the discussion

This is a blog in the Fediverse: you can find this article everywhere with @blog@securebulletin.com and every comment/answer will appear here.

If you want to comment on Klue Supply Chain Hack Exposes Salesforce Data at Nine Cybersecurity Companies, use the discussion on Forum.

>> forum community

Comments

Leave a Reply