Executive Summary
On June 12, 2026, Klue, a market intelligence platform, identified unauthorized activity within its integration infrastructure, leading to the compromise of OAuth tokens used to connect customer environments, most notably Salesforce. The incident was traced to a compromised legacy credential, which allowed attackers to access and exfiltrate sensitive business data from multiple organizations through third-party integrations. The newly emerged Icarus extortion group has publicly claimed responsibility for the attack, pressuring victims via extortion emails and their leak site. Affected organizations include Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. The stolen data primarily consists of business contacts, sales communications, pricing information, and opportunity notes from customer Salesforce instances. There is no evidence that customer content stored directly within the Klue platform, payment card data, passwords, or internal product telemetry were impacted. Klue responded by revoking affected credentials and tokens, disabling impacted integrations, removing unauthorized code, engaging CrowdStrike for incident response, and notifying law enforcement. The incident highlights significant supply chain risks associated with SaaS integrations and the potential for follow-on phishing, social engineering, and extortion campaigns using stolen business contact data. All findings are based on official statements and technical analyses from Klue, Huntress, and other affected organizations, with attribution to Icarus supported by technical evidence and public claims. https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/, https://www.huntress.com/blog/klue-breach-investigation
Technical Information
The Klue OAuth breach represents a sophisticated supply chain attack leveraging a combination of credential compromise, code injection, and abuse of legitimate API integrations. The initial access vector was a legacy credential associated with Klue’s integration service, originally created for prototyping a third-party integration and left active despite being disused. This credential enabled the attacker to push a code update to Klue’s backend systems, which collected OAuth tokens used by Klue customers to connect to their own environments, including Salesforce and Gong.
Once in possession of these OAuth tokens, the attacker used Python scripts to automate queries against the Salesforce API, exfiltrating business contacts, sales communications, pricing information, and opportunity notes. The technical investigation by Huntress revealed that the malicious requests to Salesforce targeted the /services/data/v59.0/query/<STRING> endpoint, with user-agent strings such as "Python-urllib/3.12" and "Python-urllib/3.14" observed in nearly 900 queries. The attacker’s infrastructure included IP addresses in the Netherlands, France, and Ukraine, with at least one address (138.226.246[.]94) previously linked to spam campaigns.
The attack did not involve custom malware or ransomware; instead, it relied on abusing legitimate credentials and APIs. The attacker maintained persistence by leveraging the compromised integration infrastructure and used extortion emails to pressure victims. These emails were sent from compromised Australian retail domains with valid SPF and DMARC records, indicating the use of legitimate mail servers. The extortion communications directed victims to contact the attacker via Session Messenger, with Session IDs matching those posted on the Icarus leak site.
The Icarus group, active since April 2026, has demonstrated a consistent pattern of targeting organizations through supply chain compromises, focusing on exfiltration of valuable business intelligence and CRM data for extortion. Attribution to Icarus is supported by matching Session Messenger IDs, consistent tactics, and public claims of responsibility.
The technical response from Klue included immediate revocation of affected credentials and OAuth tokens, disabling of impacted integrations (including Salesforce, Gong, HubSpot, SharePoint, Zoom, Chorus, Clari, Google Drive, and Slack App), removal of unauthorized code, engagement of CrowdStrike for incident response, and notification of law enforcement. The incident underscores the risks inherent in third-party SaaS integrations and the cascading impact of a single credential compromise.
Affected Versions & Timeline
The breach affected Klue’s integration infrastructure and, by extension, any customer environments connected via OAuth tokens, particularly those integrated with Salesforce and Gong. The attack did not impact the core Klue platform or customer data stored directly within it.
The verified timeline is as follows: On June 11, 2026, anomalous behavior was detected in Klue’s integration infrastructure. On June 12, Klue discovered unauthorized activity and began an investigation. By June 13, Klue had disabled OAuth credentials and integrations and issued a customer alert. On June 16, extortion emails were sent to affected organizations, including Huntress. Public disclosures by Klue, Huntress, and other victims, as well as the public claim of responsibility by Icarus, occurred between June 18 and 19, 2026. https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/, https://www.huntress.com/blog/klue-breach-investigation
Threat Activity
The threat activity was orchestrated by the Icarus extortion group, which exploited a legacy credential to gain access to Klue’s integration infrastructure. The attacker deployed a code update to harvest OAuth tokens, then used these tokens to access and exfiltrate data from customer Salesforce and Gong environments. The exfiltrated data included business contacts, sales communications, pricing, and opportunity notes, but did not include payment card data, passwords, or internal product telemetry.
The attacker used Python scripts to automate API queries and exfiltration, with technical indicators including specific user-agent strings and IP addresses in the Netherlands, France, and Ukraine. Extortion emails were sent from compromised Australian retail domains, instructing victims to contact the attacker via Session Messenger. The Icarus group publicly claimed responsibility on their leak site, listing Klue and affected organizations as victims and threatening to leak stolen data unless contacted.
The attack demonstrates a supply chain compromise model, where the compromise of a SaaS provider (Klue) enabled access to downstream customer environments. The focus was on data theft and extortion, with no evidence of ransomware deployment or destructive actions. The stolen business contact data poses a risk of follow-on phishing, social engineering, and further extortion campaigns. https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/, https://www.huntress.com/blog/klue-breach-investigation
Mitigation & Workarounds
The following mitigation and workaround actions are prioritized by severity:
Critical: Immediately revoke and rotate all OAuth tokens and credentials associated with Klue integrations, especially those connected to Salesforce, Gong, and other third-party platforms. Disable affected integrations until a full security review is completed. Review all access logs for anomalous activity, focusing on API queries with suspicious user-agent strings ("Python-urllib/3.12", "Python-urllib/3.14") and originating from the identified attacker IP addresses (138.226.246[.]94, 212.86.125[.]24, 213.111.148[.]90, 94.154.32[.]160).
High: Conduct a comprehensive audit of all legacy and unused credentials within integration infrastructure. Remove or rotate any credentials that are no longer required. Implement strict credential lifecycle management and enforce multi-factor authentication (MFA) for all integration accounts.
Medium: Monitor for follow-on phishing, social engineering, and extortion attempts targeting business contacts whose data may have been compromised. Educate staff on recognizing and reporting suspicious communications, especially those referencing the Klue incident or using Session Messenger for contact.
Low: Review and update incident response and supply chain risk management procedures to account for third-party SaaS integration risks. Engage with third-party vendors to ensure they have robust credential management and incident response practices.
All organizations using Klue integrations should coordinate with their internal security teams and third-party vendors to ensure all recommended actions are implemented. Ongoing monitoring and communication with affected partners are essential to mitigate further risks. https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/, https://www.huntress.com/blog/klue-breach-investigation
References
https://www.huntress.com/blog/klue-breach-investigation
About Rescana
Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their external vendors and SaaS integrations. Our platform enables continuous visibility into supply chain exposures, supports credential hygiene best practices, and facilitates rapid response to third-party incidents. For questions regarding this advisory or to discuss your organization’s supply chain risk posture, contact us at ops@rescana.com.
