Cyberattack on Klue: Data Stolen from Hundreds of Clients, Including Security Firms
A group called Icarus exploits legacy credentials to steal Salesforce data through Klue's integration, affecting firms like Huntress, Recorded Future, and Tanium.
June 25, 2026 · 3 min read
TL;DR: Klue suffered a cyberattack that exposed Salesforce data from hundreds of clients, including security firms. The Icarus group used legacy credentials to steal OAuth tokens. Victims report that only sales data was compromised, not critical systems.
What Happened?
On June 11, 2026, Klue, a market intelligence platform used by over 250,000 companies, suffered a security breach. An attacker gained access through a compromised legacy credential associated with an integration service, obtaining OAuth tokens that allowed Klue to connect with third-party platforms such as Salesforce, Gong, HubSpot, SharePoint, and Google Drive. With those tokens, the attacker accessed data within the connected environments of numerous clients. According to The Register, Klue has not specified how many clients were affected, but Huntress confirmed it was among the "hundreds of Klue clients" impacted.
Klue detected the intrusion the next day, disconnected all integrations, and hired CrowdStrike to investigate. CEO Jason Smith confirmed the incident in a blog post. The responsible group calls itself Icarus, active since April 28, 2026, and began posting victims on its data leak site. Icarus demands communication via Session to avoid public disclosure, a tactic similar to groups like ShinyHunters but with a focus on direct extortion.
Why Is This Important?
The attack not only affected ordinary companies but also cybersecurity firms like Huntress, Recorded Future, Tanium, Jamf, Gong, HackerOne, Kudelski Security, Snyk, Insurity, and Sprout Social. This shows that even security guardians can fall victim to supply chain attacks. Huntress, which was among the first to alert, confirmed that the stolen data included business contacts, quotes, and sales messages, but not highly sensitive information like passwords or engineering data. In a statement, Huntress emphasized its commitment to radical transparency: "The data copied from our Salesforce account includes business contacts, price quotes, and other sales and messaging-related data. There is no threat data, passwords, payment card information, or engineering data."
The incident resembles third-party OAuth abuse campaigns against Salesforce that occurred in 2025 and 2026, but this time the actor is Icarus, not ShinyHunters. The breach underscores the risk of legacy credentials and the need to rotate OAuth tokens periodically. Unlike previous attacks, this one originated from a legacy credential associated with an integration service, not a flaw in Klue's main product. This reflects a growing trend: attackers target third-party integrations as an entry vector, as they often have less security oversight.
Consequences and Lessons
Klue has disconnected all its integrations and is working with CrowdStrike. Mandiant recommends auditing systems and monitoring logs, as well as rotating credentials. Affected companies should review whether the attack had a greater impact, though no compromise of their own products or infrastructure has been reported so far. However, the leak of CRM data can have significant business consequences, such as exposure of sales strategies, lead lists, and ongoing deals. For cybersecurity firms, this can also damage the trust of their own customers.
For readers, the lesson is clear: third-party integrations are critical attack vectors. It is essential to manage credentials, use multi-factor authentication, and have incident response plans. Additionally, the transparency of Huntress and other companies sets a positive precedent. As Huntress noted, proactive disclosure helps other organizations protect themselves. The attack also highlights the importance of periodically rotating OAuth tokens and revoking legacy credentials that are no longer needed.
What Should Readers Know?
- The attack originated from a compromised legacy credential associated with an integration service.
- The stolen data is primarily CRM data (contacts, quotes, sales messages).
- No products or critical systems of the victims have been affected, according to the affected companies.
- Icarus demands communication via Session to avoid public disclosure, and has posted some victims on its site.
- It is recommended to audit integrations, rotate OAuth tokens, and review the use of legacy credentials.
- Companies like Huntress, Recorded Future, Tanium, Jamf, Gong, HackerOne, Kudelski Security, Snyk, Insurity, and Sprout Social are among the confirmed victims.
This incident is a reminder that supply chain security is only as strong as its weakest link. Companies must evaluate not only the security of their own systems but also that of the vendors they integrate with. Periodic token rotation and removal of obsolete credentials are simple but effective measures. Additionally, the coordinated response by Klue and CrowdStrike, along with the transparency of the victims, can serve as a model for future incidents.