A recent supply chain attack on the market intelligence platform Klue has led to a significant data breach, affecting Salesforce data across multiple high-profile cybersecurity companies. The Icarus extortion group has claimed responsibility for this breach, threatening to release the stolen data if demands are not met.
Timeline of the Attack
The breach was initiated on June 11–12, 2026, when attackers exploited a compromised legacy credential linked to Klue’s integration service account. This unauthorized access allowed the attackers to deploy malicious code aimed at harvesting OAuth tokens, essential for connecting Klue with third-party platforms, notably Salesforce.
Klue detected this unauthorized activity on June 12 and promptly informed its customers, taking immediate action to revoke the affected credentials. They also disabled integrations with several platforms, including Salesforce, HubSpot, and Slack, among others, to mitigate further damage.
Extent of Data Exfiltration
Once inside, the attackers utilized the Salesforce REST API to exfiltrate significant volumes of CRM data. According to ReliaQuest, the attackers executed nearly 1,000 API queries in just 15 minutes, with extended extraction periods lasting over six hours. The stolen information primarily included business contact details, sales account data, and other related information.
While sensitive business data was accessed, no core platform data, threat intelligence, passwords, or payment information was reported to be compromised. The breach affected at least nine organizations, including HackerOne, Huntress, and Jamf, each experiencing varying levels of data exposure.
Response and Ongoing Investigations
The Icarus group, using its leak platform, has issued a ransom demand, threatening the exposure of stolen data. Huntress investigators have identified indicators linking the attack to Icarus, supported by evidence from their compromised environment. The ransom note originated from an email associated with an Australian company, suggesting further compromise.
In response, Klue has engaged CrowdStrike for incident response and forensic investigation. The company has also reported the incident to law enforcement and is conducting a thorough review of its security protocols. CEO Jason Smith publicly addressed the breach on June 22, describing it as a deliberate criminal act and promising transparency with affected clients.
This incident highlights the vulnerabilities present in OAuth-based supply chain attacks, emphasizing how a single compromised credential can lead to widespread data exposure across interconnected systems.
Stay updated on developments by following us on Google News, LinkedIn, and other platforms for instant updates.
