A supply-chain attack involving Klue’s Salesforce-linked integrations has compromised customer data from hundreds of companies, including prominent cybersecurity vendors, as the new extortion group Icarus exploits stolen CRM information.
- Attackers used stolen OAuth tokens to access Salesforce data via Klue’s integrations.
- Hundreds of companies, including security firms, had CRM data exposed but not product infrastructure.
- Icarus extortion group emerged as culprit, demanding ransom to prevent data leaks.
What happened
On June 11, Klue detected unauthorized access originating from a compromised legacy credential associated with an integration service. This allowed attackers to acquire OAuth tokens to infiltrate various third-party platforms including Salesforce. The breach compromised CRM data such as business contacts, price quotes, and sales communications but did not affect core product tools, passwords, or telemetry.
Following the breach, Klue disconnected all integrations with Salesforce, Gong, HubSpot, SharePoint, and Google Drive to contain the impact. The company retained CrowdStrike to lead incident investigation and remedial security actions. Initial victims publicly confirming impact include Huntress and several other cybersecurity and software companies, collectively amounting to hundreds of affected customers.
Why it matters
This incident illustrates the risks posed by third-party integration vulnerabilities in widely used SaaS ecosystems. Attackers gaining persistent access through legacy credentials can exploit interconnected platforms to harvest sensitive business intelligence and customer data without breaching core security controls or product infrastructure.
Furthermore, the breach underlines challenges in securing complex supply chains where privileged API access and OAuth tokens become attack vectors. The involvement of high-profile security firms as victims highlights how attackers increasingly focus on data at the CRM integration layer to leverage extortion opportunities, causing reputational and operational harm.
What to watch next
Organizations using Klue integrations or similar CRM-linked services should immediately audit recent activity, monitor application logs for suspicious behavior, and rotate all credentials and tokens where compromise is possible. Security researchers advise heightened vigilance against emerging threats exploiting OAuth abuse and integration services.
Klue’s ongoing investigation with CrowdStrike and responses from victims and law enforcement will provide further clarity on the extent of data exposure and attacker methods. The activity of the Icarus group, active since April 2026, and its extortion attempts targeting breached companies are expected to drive increased attention on supply-chain security risks associated with SaaS ecosystems.