Executive Summary
Between June 11 and June 24, 2026, a significant supply chain breach involving Klue, a market intelligence SaaS provider, resulted in the compromise of OAuth tokens and subsequent data exfiltration from nearly 200 organizations, including major cybersecurity vendors such as Huntress, Recorded Future, Tanium, and Jamf. The initial compromise was achieved through the exploitation of a legacy credential within Klue’s integration infrastructure, enabling attackers to harvest OAuth tokens and access connected Salesforce environments of downstream customers. The threat actor, identified as Icarus, exfiltrated business contact and sales data, then attempted extortion via a Tor-based leak site. Subsequently, a second unauthorized party claimed access to the same stolen data and launched a separate extortion campaign, indicating that the original attackers were themselves compromised. No evidence has been found of compromise to customer-facing products, infrastructure, or sensitive engineering data, and no passwords or payment card data were affected. The breach underscores the risks inherent in third-party SaaS integrations and highlights the evolving tactics of modern threat actors. All findings are based on direct evidence from Huntress, Infosecurity Magazine, and OffSeq Threat Radar, with all claims corroborated and referenced.
Technical Information
The attack on Klue began with the exploitation of a long-disused but still active credential associated with its integration infrastructure. This credential allowed the attackers to push a code update capable of collecting OAuth tokens used by Klue’s customers to connect to their own systems, most notably Salesforce. By harvesting these tokens, the attackers were able to impersonate Klue within customer environments and directly query CRM tools for sensitive business data.
The attackers’ methodology aligns with several MITRE ATT&CK techniques. Initial access was achieved using valid accounts (T1078), specifically a legacy credential. The attackers then stole application access tokens (T1528) and used alternate authentication material (T1550) to move laterally into customer Salesforce environments. Data was collected from information repositories (T1213) and exfiltrated over web services (T1567.002) using legitimate cloud APIs.
After exfiltration, the threat actor Icarus listed data for Huntress and other companies on a Tor-based leak site, demanding ransom and threatening to release additional data if demands were not met. The infrastructure used to host the leaked data was traced to AS200593 (PROSPERO OOO, Russian Federation), which has been previously flagged as bulletproof hosting. Extortion emails were sent using compromised infrastructure from the Australian retailer “Global Retail Brands.”
A secondary compromise occurred when another unauthorized party gained access to the same stolen data and initiated a new extortion campaign, further complicating the incident and increasing the risk of additional data exposure.
No specific malware families or custom tools were publicly disclosed in the primary sources. The attack relied on credential abuse, code deployment for OAuth token harvesting, and the abuse of legitimate APIs. No evidence was found of ransomware deployment, destructive actions, or advanced persistent threat (APT) involvement. The focus remained on data theft and extortion.
The breach primarily impacted cybersecurity vendors, insurance providers, social media analytics platforms, and other SaaS customers. The attackers targeted business contact information, sales data, and CRM records. There is no evidence of lateral movement within customer environments beyond the compromised integration, nor of compromise to customer-facing products or sensitive engineering data. However, the exfiltrated data could be used for follow-on phishing attacks.
Technical analysis and attribution are supported by direct statements and technical details from Huntress, Infosecurity Magazine, and OffSeq Threat Radar. All major claims are corroborated across these sources, and confidence in the attribution to Icarus is high.
Affected Versions & Timeline
The breach affected all organizations using Klue’s integration with Salesforce and potentially other platforms. The timeline of key events is as follows:
June 11, 2026: Initial compromise of Klue’s integration infrastructure via a legacy credential. June 12, 2026: Detection of anomalous behavior and unusual network connections by Klue. June 13, 2026: Deactivation of OAuth credentials for all customers and temporary disabling of integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack App. June 16, 2026: Extortion emails sent to some Huntress staff. June 17, 2026: Salesforce disables the Klue Battlecards integration. June 19, 2026: Icarus lists Klue as a victim on its leak site. June 22, 2026: Data for Huntress and other companies posted on the leak site. June 24, 2026: Secondary unauthorized party claims access to the stolen data and initiates a new extortion campaign.
The affected versions include all active Klue integrations with Salesforce and other listed platforms as of June 2026. The Salesforce integration remains disabled, and there is no public information on patches or fixes as of the latest reporting.
Threat Activity
The threat actor Icarus executed a supply chain attack by exploiting a legacy credential within Klue’s integration infrastructure. After gaining access, the attackers deployed code to harvest OAuth tokens, enabling them to impersonate Klue and access customer Salesforce environments. The attackers exfiltrated business contact and sales data, then attempted to extort victims by threatening to release the stolen data on a Tor-based leak site.
Following the initial extortion campaign, a second unauthorized party compromised Icarus and gained access to the same stolen data. This party initiated a separate extortion campaign, threatening to release additional victim data unless a “compromise” was reached. The emergence of multiple extortionists increased the risk of further data exposure and complicated incident response efforts.
The attack did not involve ransomware deployment or destructive actions. The focus was on data theft and extortion, with the attackers leveraging the stolen data to pressure victims into paying ransoms. The infrastructure used for data leaks and extortion emails included bulletproof hosting in the Russian Federation and compromised infrastructure from an Australian retailer.
The breach highlights the risks associated with third-party SaaS integrations and the evolving tactics of threat actors, including the use of OAuth token abuse and supply chain targeting.
Mitigation & Workarounds
The following mitigation steps are recommended, prioritized by severity:
Critical: Organizations using Klue integrations should immediately ensure that all affected integrations, especially with Salesforce, remain disabled until official guidance and remediation steps are provided by the vendor. Do not re-enable any Klue integrations without explicit confirmation from Klue or your incident response team.
High: Monitor all communications from Klue and other affected vendors for updates on remediation, patches, or further guidance. Engage with your incident response team to assess potential exposure and verify what data may have been compromised.
High: Be vigilant for phishing campaigns leveraging exfiltrated business contact and sales data. Educate staff to recognize and report suspicious emails, especially those purporting to be from Klue, Huntress, or other affected organizations.
Medium: Review and audit all third-party integrations for unused or legacy credentials. Remove or rotate credentials that are no longer in use, and implement strong credential management practices.
Medium: Coordinate with legal counsel and law enforcement as appropriate, especially if you receive extortion communications or suspect your organization’s data has been exposed.
Low: Continue to monitor threat intelligence sources for updates on the breach and any newly identified indicators of compromise.
No public information on patches or technical fixes has been released as of June 26, 2026. Organizations should rely on vendor advisories and incident response guidance for further action.
Indicators of Compromise
The following indicators are provided as a point-in-time reference and should be validated before enforcement in your environment.
Type | Indicator | Reported (date) | Source
|
IP | 138.226.246[.]94 | 2026-06-18 | https://www.huntress.com/blog/klue-breach-investigation |
IP | 212.86.125[.]24 | 2026-06-18 | https://www.huntress.com/blog/klue-breach-investigation |
IP | 213.111.148[.]90 | 2026-06-18 | https://www.huntress.com/blog/klue-breach-investigation |
IP | 94.154.32[.]160 | 2026-06-18 | https://www.huntress.com/blog/klue-breach-investigation |
References
Huntress Official Incident Report: https://www.huntress.com/blog/klue-breach-investigation
Infosecurity Magazine: https://www.infosecurity-magazine.com/news/klue-breach-compromise/
OffSeq Threat Radar: https://radar.offseq.com/threat/more-klue-breach-victims-identified-as-hackers-get-ac8abc542c2d242f
About Rescana
Rescana provides a Third-Party Risk Management (TPRM) platform that enables organizations to continuously monitor and assess the security posture of their vendors and supply chain partners. Our platform supports rapid identification of third-party integration risks, facilitates evidence-based incident response, and helps organizations maintain visibility into evolving threats across their vendor ecosystem.
We are happy to answer questions at info@rescana.com.
