The Integration Threat: Inside the initial Klue Compromise
Integrations are the soft underbelly of cloud security. You can spend years hardening your firewall, configuring firewalls, and refining identity policies. But the moment a business unit hooks up a third-party app with a single click, your security perimeter effectively vanishes. That is the hard lesson of the Klue supply chain breach of June 2026.
Let's look at how this happened. Klue, a competitor intelligence SaaS provider, discovered anomalous behavior in its integration infrastructure on June 12, 2026. The initial compromise went down just a day earlier, on June 11. The root cause was embarrassing, yet all too common: a legacy credential. This was a long-disused, active password or key that was left floating in their integration service environment. The attackers exploited this stagnant credential to push a code change that did not seek to steal databases or encrypt backups. Instead, it was written specifically to harvest OAuth tokens.
These OAuth tokens were active session identifiers. Klue's customers had granted them so that the vendor's Battlecards application could connect to their CRM platforms, primarily Salesforce. By collecting these tokens, the attackers bypassed the need to attack each customer platform individually. They had the keys to the castle. It was a silent compromise, showing how credential drift in legacy systems can undermine modern federated systems. On June 13, Klue reacted by revoking OAuth credentials and pulling the plug on integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack App. But the damage was already done. The keys were in the wild, and the attackers knew exactly how to use them.
Downstream Salesforce Harvesting via OAuth Abuse
With the stolen OAuth tokens, the attackers didn't waste time trying to crack passwords. They didn't need to. They impersonated Klue's legitimate Battlecards application, making API calls straight to the Salesforce instances of downstream customers.
This was not a manual heist. The threat actors launched automated Python scripts to query Salesforce API endpoints for hours on end, systematically scraping contact records, sales communications, and pricing models. Cybersecurity firms and incident response teams observed this activity and identified specific indicators of compromise. Attackers operated from several IP addresses, such as 138.226.246.94, 212.86.125.24, 213.111.148.90, and 94.154.32.160. They did not deploy ransomware. Their mission was simple: exfiltrate enough CRM data to run high-pressure extortion schemes.
The downstream impact was massive. A large portion of affected organizations turned out to be prominent security players. Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity all reported data leaks from their Salesforce environments. In many ways, this posture failure mirrors the recent LastPass OAuth CRM compromise, where a third-party token leak opened the floodgates to customer record theft. The attackers targeted contact records, sales histories, and communications. For details on how integrations can turn into toxic assets, see our analysis on how the Klue breach unlocked Salesforce data. It was a clean exfiltration sweep that bypassed the traditional defenses of these security organizations.
The Double Extortion Cluster: Icarus Meets a Rival
Shortly after the exfiltration, things went sideways for the attackers. A threat group named Icarus stepped up to claim responsibility for the Klue heist. They listed their victims on a Tor-based leak site hosted on AS200593 (PROSPERO OOO, a known bulletproof host in the Russian Federation).
Icarus sent extortion emails to affected employees (including Huntress staff on June 16) demanding payments. They pressured victims to contact them via Session messenger, using compromised email systems of an Australian retail brand to avoid detection. But cybercrime is a lawless playground. On June 24, a second, unauthorized crew hacked the Icarus infrastructure and grabbed the stolen Salesforce data. They launched their own parallel extortion campaign.
Think about that. If you're one of the victims, you're now getting demands from two separate extortionists for the exact same database. It is an absolute mess, and it exposes the lie that paying criminals solves your problems. You can't trust them to delete the data. Once the data leaves your control, it is gone. If a rival gang can steal the database from the original hacker, your risk of public exposure remains exactly the same.
Tightening the Reins on Legacy API Integrations
So how do we fix this? As a cloud posture specialist, my job is to clean up structural drift before it bites us.
First, if you run any Klue integration, disable it immediately. Keep it disabled until Klue issues a certified threat audit and clear remediation details. Do not trust a quick patch.
Second, start auditing OAuth tokens. The big trap is "set and forget." You set up a connection, the pilot ends, and the token remains active for years. That is a security gap waiting to be abused. Implement automated scans that flag integration keys that have been idle for 30 days. If they are not active, revoke them.
Third, lock down Salesforce API permissions. Most integrations demand full admin permissions to read and write all custom objects. That is reckless. You need to assign the least privilege needed for the specific workload. If the integration only needs to push metadata, it should not have read access to your entire contact database. As we've seen in other enterprise vulnerabilities, even authorized testing can be mislabeled as an attack if security telemetry is siloed. Similarly, legacy integration blind spots remain a massive risk.
Fourth, prepare for the fallout. The exfiltrated sales communications make the perfect base for hyper-targeted phishing campaigns. Attackers can draft emails referencing actual historical conversations, making them look highly legitimate to your sales staff. Keep your teams warned, check your secrets, and automate credential lifecycle monitoring. We cannot let legacy credentials sit around in our cloud infrastructure.