Cybersecurity firms Huntress and Recorded Future have revealed their experiences following a significant supply chain attack on the market intelligence platform Klue. This breach underscores the vulnerabilities in software integrations used by major companies.
Timeline and Impact of the Attack
The incursion began on June 11, targeting the systems linked with software platform integrations. Attackers gained unauthorized access to Klue’s backend servers, executing commands that allowed them to push a code update. This update was designed to extract OAuth tokens related to Klue’s customer integrations.
Klue promptly informed its clients on June 12, deactivating OAuth tokens for all users and severing connections with platforms such as Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack to mitigate further risk.
Data Extraction and Response
According to ReliaQuest, the attackers exploited the Salesforce REST API to siphon off large amounts of customer relationship management (CRM) data within a 24-hour period. The breach included an intense burst of nearly a thousand queries within 15 minutes, followed by sustained data extraction over more than six hours.
On June 17, Salesforce responded by disabling the Klue Battlecards app integration, citing unusual activity that suggested unauthorized data access via its connection to Salesforce.
Companies Affected and Potential Threat Actors
Huntress and Recorded Future confirmed their involvement in the incident. Huntress reported that the compromised data encompassed business contacts, price quotes, and other sales-related information, though sensitive data such as threat intelligence and payment details remained secure. Recorded Future noted that affected fields in their Salesforce database included client contact names and emails, while ongoing investigations aimed to determine the full scope.
The breach primarily affected the Klue-Salesforce integration, without compromising any systems directly managed by Huntress or Recorded Future. The attack follows a pattern similar to previous incidents involving platforms like Salesforce, Salesloft Drift, and Gainsight, traditionally linked to threat groups such as ShinyHunters and UNC6395. However, this attack seems to be the work of a new actor.
The Role of Extortion and Icarus
Huntress reported receiving extortion threats from an entity known as “Mr Brean,” associated with the Icarus extortion group, which emerged in April 2026. Icarus’s leak site contains entries from early May and another from June, hinting at data stolen from Salesforce.
With corroborating data points, Huntress is confident that Icarus orchestrated the Klue compromise. Although Klue has shared incident details with its customers, it has yet to issue a public statement. SecurityWeek has reached out for a comment and will update accordingly.
This incident highlights the persistent threats facing software supply chains and the need for robust security measures to protect sensitive business data.
