Supply Chain Breach at Klue Exposes Salesforce Data of Huntress, HackerOne, and Others

Klue Supply Chain Attack Hits Nearly 200 Firms, Including Major Cybersecurity Vendors

HIGH
June 29, 2026
July 8, 2026
5m read
Supply Chain AttackData BreachCloud Security

Related Entities(initial)

Threat Actors

Icarus

Organizations

Products & Tech

OAuth

Other

KlueSalesforce Huntress Recorded FutureTaniumJamf HackerOne Snyk OneTrustSprout Social

Full Report(when first published)

Executive Summary

Between June 11 and June 24, 2026, a multi-stage supply chain attack targeted Klue, a competitive intelligence SaaS provider. A threat actor, identified as the new extortion group Icarus, exploited a legacy service account credential to gain access to Klue's backend. The attackers then deployed malicious code to harvest Salesforce OAuth tokens from Klue's customers. This allowed the threat actor to impersonate Klue and exfiltrate sensitive CRM data from nearly 200 downstream organizations, including a significant number of cybersecurity companies. The incident underscores the severe risks of interconnected SaaS platforms and the potential for a single compromised credential to have a cascading impact across an entire ecosystem. Klue has since contained the breach and engaged CrowdStrike for forensic investigation.

Threat Overview

The attack began on June 11, 2026, when the Icarus group used a legacy credential for an abandoned but active integration service account to access Klue's systems. This initial foothold allowed them to push a malicious code update. This update was specifically designed to intercept and collect OAuth tokens that Klue's customers use to integrate the platform with third-party services, primarily Salesforce. Armed with these tokens, Icarus could make authorized API calls to the Salesforce environments of affected customers, exfiltrating valuable business contact and sales data. Klue detected anomalous activity on June 12, removed the malicious code on June 13, and Salesforce disabled the vulnerable integration on June 17. The list of victims includes high-profile tech and cybersecurity firms such as Huntress, Recorded Future, Tanium, Jamf, HackerOne, and Snyk. The situation was further complicated when Klue reported that a second, unidentified party hacked the Icarus group and began its own extortion campaign using the stolen data.

Technical Analysis

The attack chain demonstrates a sophisticated understanding of modern SaaS integration architecture.

  1. Initial Access: The attackers exploited a legacy service account credential. This maps to T1078.004 - Cloud Accounts. The failure to decommission credentials for an abandoned service represents a critical security hygiene failure.
  2. Defense Evasion & Persistence: By pushing a malicious code update to the Klue platform, the attackers modified a trusted application. This aligns with T1505.002 - Server Software Component: Web Shell at a conceptual level, as they modified server-side application logic to perform malicious actions.
  3. Credential Access: The core of the attack was the harvesting of OAuth tokens, a form of access token manipulation. This is consistent with T1528 - Steal Application Access Token.
  4. Collection & Exfiltration: Using the stolen tokens, the attackers made API calls to Salesforce, collecting data directly from the cloud environment. This maps to T1530 - Data from Cloud Storage Object and T1020 - Automated Exfiltration.

The use of stolen OAuth tokens for data exfiltration is particularly insidious. It allows attackers to bypass traditional network-based security controls and makes their activity appear as legitimate application traffic, blending in with normal API calls between integrated services.

Impact Assessment

The business impact of this breach is substantial and multi-faceted:

  • Direct Financial Loss: Victims face costs related to investigation, remediation, and potential extortion payments.
  • Data Exposure: The exfiltrated data, primarily from Salesforce, includes sensitive customer lists, sales pipelines, and competitive intelligence. This information is highly valuable for industrial espionage and targeted sales or phishing campaigns.
  • Reputational Damage: For the nearly 200 affected companies, particularly those in the cybersecurity industry like Huntress and HackerOne, the breach raises questions about their own and their vendors' security postures.
  • Operational Disruption: The temporary disabling of the Salesforce integration and the subsequent investigation efforts caused operational disruption for sales and marketing teams who rely on the Klue platform.
  • Ecosystem Trust Erosion: This incident erodes trust in the interconnected SaaS ecosystem, forcing companies to re-evaluate the security of third-party integrations and the scope of permissions granted to them.

IOCs — Directly from Articles

No specific file hashes, IP addresses, or domains were mentioned in the source articles.

Cyber Observables — Hunting Hints

Security teams may want to hunt for the following patterns to detect similar supply chain attacks targeting SaaS integrations:

Type
log_source
Value
Salesforce Event Monitoring Logs
Description
Monitor for ApiTotalUsage events showing unusual spikes in API calls from a specific connected app, especially outside of business hours.
Type
log_source
Value
SaaS Audit Logs (e.g., Klue, Google Workspace)
Description
Look for anomalous authentications or configuration changes related to third-party application integrations, such as permission scope changes or token refreshes from unusual locations.
Type
command_line_pattern
Value
"grant_type": "refresh_token"
Description
In application logs, monitor for an unusually high volume of OAuth token refresh requests, which could indicate an attacker attempting to maintain persistent access.
Type
network_traffic_pattern
Value
Anomalous data volume from SaaS provider
Description
Monitor network flow data for unusually large data transfers originating from trusted SaaS application IP ranges to unexpected destinations.

Detection & Response

Detecting this type of attack requires a shift from perimeter-focused security to application and identity-centric monitoring.

Detection Strategies:

  1. SaaS Security Posture Management (SSPM): Deploy SSPM tools to continuously audit OAuth token permissions, identify over-privileged applications, and detect risky configurations across the SaaS estate.
  2. Cloud Access Security Broker (CASB): Use a CASB to monitor API traffic between SaaS applications. Configure policies to alert on anomalous data access patterns, such as a user or application suddenly accessing and downloading a large volume of records from Salesforce. This aligns with D3FEND's Network Traffic Analysis (D3-NTA).
  3. Log Monitoring: Ingest audit logs from critical SaaS applications (Salesforce, Microsoft 365, etc.) into a SIEM. Create detection rules for suspicious activities like a third-party app's permissions being escalated or access from a new, previously unseen IP address. This leverages D3FEND's Domain Account Monitoring (D3-DAM).

Response Actions:

  1. Immediately revoke the compromised application's OAuth tokens within the affected SaaS platform (e.g., Salesforce's Connected Apps settings).
  2. Force a password reset and session termination for all users associated with the compromised application.
  3. Analyze audit logs to determine the scope of data accessed and exfiltrated.
  4. Engage the third-party vendor (in this case, Klue) to understand the root cause and ensure the vulnerability has been remediated.

Mitigation

Preventing similar supply chain attacks requires a proactive, defense-in-depth approach to SaaS security.

Immediate Actions:

  1. Audit OAuth Permissions: Immediately review all third-party applications connected to critical SaaS environments like Salesforce and Microsoft 365. Apply the principle of least privilege, revoking any unnecessary or overly broad permissions (e.g., Full access (full)). This is a form of D3FEND Application Configuration Hardening (D3-ACH).
  2. Decommission Legacy Accounts: Implement a rigorous process for identifying and decommissioning all legacy, unused, or abandoned service accounts and their associated credentials.
  3. Enforce MFA on Service Accounts: Where possible, enforce Multi-factor Authentication (MFA) on all accounts, including service accounts. For non-interactive accounts, use certificate-based authentication or IP allow-listing as compensating controls.

Strategic Improvements:

  1. Vendor Risk Management: Enhance vendor security reviews to include specific scrutiny of their software development lifecycle, dependency management, and incident response capabilities.
  2. Network Segmentation: Even in a cloud context, apply segmentation principles. Use firewall rules and CASB policies to restrict which systems can communicate with SaaS provider APIs. This is an application of D3FEND Network Isolation (D3-NI).
  3. Implement Just-in-Time (JIT) Access: For administrative and high-privilege functions, move towards a JIT access model where elevated permissions are granted for a limited time and only for a specific, approved task.

Timeline of Events

1
June 11, 2026
Attackers exploit a legacy credential to gain initial access to Klue's backend systems.
2
June 12, 2026
Klue detects anomalous network activity related to the breach.
3
June 13, 2026
Klue removes the malicious token-stealing code and disables the compromised access.
4
June 16, 2026
The 'Icarus' group begins sending extortion emails to affected Klue customers.
5
June 17, 2026
Salesforce disables the Klue Battlecards integration as a precautionary measure.
6
June 19, 2026
Icarus lists Klue on its dark web leak site, threatening to publish stolen data.
7
June 29, 2026
This article was published

Article Updates

July 8, 2026

LastPass identified as an additional victim in the Klue supply chain attack, expanding the list of affected cybersecurity firms.

MITRE ATT&CK Mitigations

Implement strict lifecycle management for all accounts, especially service accounts, ensuring they are deactivated and credentials rotated or removed when no longer needed.

Enforce MFA on all user and service accounts to prevent unauthorized access even if credentials are compromised.

Audit

M1047enterprise

Regularly audit and monitor SaaS application logs, focusing on authentication events, permission changes, and API usage to detect anomalous activity.

Regularly review and apply the principle of least privilege to the permissions and scopes granted to third-party SaaS integrations.

Timeline of Events

1
June 11, 2026

Attackers exploit a legacy credential to gain initial access to Klue's backend systems.

2
June 12, 2026

Klue detects anomalous network activity related to the breach.

3
June 13, 2026

Klue removes the malicious token-stealing code and disables the compromised access.

4
June 16, 2026

The 'Icarus' group begins sending extortion emails to affected Klue customers.

5
June 17, 2026

Salesforce disables the Klue Battlecards integration as a precautionary measure.

6
June 19, 2026

Icarus lists Klue on its dark web leak site, threatening to publish stolen data.

Article Author

Jason Gomes

Jason Gomes

• Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)

Tags

KlueIcarusSalesforceOAuthSupply Chain AttackData BreachSaaSCybersecurity

📢 Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

🛡️ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

🔗 STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph — relationships between actors, malware, techniques, and indicators.

Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.