On June 18, 2026, cybersecurity vendor Huntress published a detailed account of a security incident that began at Klue, a market intelligence platform used to integrate CRM and sales data across various business tools. The breach, which Huntress described as a “security domino effect,” started with a single compromised integration credential and cascaded into the theft of customer data from several connected platforms, including Salesforce.

The attackers first gained access to Klue’s backend infrastructure on June 11 using a long-dormant API credential originally created for an abandoned third-party integration prototype. From there, they pushed a malicious code update designed to harvest OAuth tokens that Klue’s customers used to connect the platform to services including Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. Those stolen tokens were then used to query customer CRM systems directly and exfiltrate data.

Attack Timeline

According to Huntress’s writeup, the attackers operated stealthily for several days. Klue staff disabled the remote access and removed the token-theft code from their servers on June 12, and issued a general alert to customers on June 13, which did not indicate which customers were impacted. However, on June 16, extortion emails began to appear in the inboxes of some Huntress staff with the subject line “top secret email” and a warning: “Your data has been downloaded…You have 48 hours to communicate with us.”

Huntress attributes the attack to the extortion group calling itself “Icarus,” active since late April 2026, based on matching Session Messenger IDs found both in the extortion emails and on the group’s dark-web leak site. The Icarus group has previously targeted other SaaS integrations, but this incident marks its most significant compromise to date.

What Was Stolen?

Huntress confirmed that the attackers made off with business contacts, price quotes, and other sales-related data and messaging. Critically, the breach did not expose threat data, passwords, payment card information, or engineering data relating to the Huntress agent or telemetry. The company stressed that its products and infrastructure remain unaffected, and that the data stolen was limited to sales and marketing information stored in Salesforce and other integrated platforms.

Huntress has shared indicators of compromise and recommended other Klue customers review logs, request access records from affected vendors, and consider revoking active sessions tied to the compromised integrations. The company also advised customers to monitor for unusual activity in their Salesforce instances, particularly for new API integrations or unexpected data exports.

Broader Impact

The breach extends beyond Huntress. Several other security vendors have publicly stepped forward and released official statements on how they’ve been affected. Recorded Future, Tanium, and Jamf have all confirmed that their organizations were impacted through the Klue integration. While details vary, all reported that Salesforce-connected data, including customer lists and sales projections, was accessed. No vendor has reported lateral movement into core security products or engineering systems.

The incident has drawn attention because of the use of OAuth token theft—a technique that has become increasingly common as attackers target trusted third-party integrations rather than the primary platform itself. Throughout 2025, a string of OAuth-abuse campaigns hit other Salesforce-connected SaaS integrations, namely Drift and Gainsight. Those attacks also leveraged stolen tokens to impersonate legitimate users and extract CRM data.

Salesforce Response

On Wednesday, June 17, Salesforce announced it had “disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce,” after detecting unusual activity involving the app. “As a result, organizations will not be able to connect to Salesforce via this app until further notice,” the company stated in a security advisory. Salesforce has not yet provided a timeline for restoring the app, pending a full security review of Klue’s code and authentication practices.

Klue CEO Statement

On Thursday, June 18, Klue CEO Jason Smith released a statement confirming that the company had identified unauthorized activity and taken immediate steps. “Since identifying the incident, we have revoked affected credentials and tokens, removed the unauthorized code pushed by the attackers, disabled potentially impacted integrations, and started an investigation,” Smith wrote. Law enforcement has been notified, and affected customers have been contacted and provided with information to assist with their own incident response.

Smith added: “Based on our investigation to date, the incident was limited to the affected third-party platforms, and there is no evidence that customer content stored within the Klue platform was impacted.” He also announced plans to further strengthen security controls, credential management practices, monitoring capabilities, and deployment processes. However, the breach has raised questions about why a dormant API credential remained active for an abandoned prototype, and why the malicious code update was not caught by Klue’s change management or code review process.

OAuth Abuse: A Growing Threat

This incident is part of a broader pattern of attackers exploiting the trust inherent in OAuth token exchanges. When a user authorizes a third-party app like Klue to access their Salesforce data, they grant an OAuth token that can be used to make API calls on their behalf. If that token is stolen, the attacker can access the same data without needing the user’s password or reauthentication. In the Klue case, the attackers compromised the platform’s backend and used it to harvest tokens from multiple customers simultaneously.

Security researchers have long warned about the dangers of overprivileged OAuth tokens. Many SaaS integrations request broad permissions (e.g., “read and write all CRM data”) that exceed what the integration actually needs. In this case, the Klue Battlecards app required read access to sales records, accounts, and contacts—permissions that enabled the attackers to exfiltrate a wealth of business intelligence.

Recommendations for Affected Organizations

Huntress has recommended that all Klue customers take the following actions: review API token and OAuth token logs in their Salesforce instance; request access records from Klue and any other affected vendors; revoke all active sessions tied to the compromised integrations; reset any shared credentials; and monitor for extortion emails or suspicious data exfiltration attempts. Additionally, organizations should consider implementing OAuth token expiration policies and regularly auditing third-party app permissions.

The incident underscores the importance of securing the software supply chain, particularly when it comes to integrations that bridge multiple business-critical platforms. As more companies rely on interconnected SaaS tools, attackers will continue to target the weak links—the integration points where a single compromised credential can unlock data across multiple systems.

For now, the Icarus group has not publicly leaked any of the stolen data, but Huntress and other victims remain on high alert. The 48-hour extortion deadline passed on June 18, and no further communications from the group have been reported. However, the fact that multiple major security vendors were affected highlights the systemic risk posed by third-party integrations, even for companies that specialize in protecting others.

Source: Help Net Security News