"Huntress believes in radical transparency about security incidents, including when it affects our company," the firm wrote in response to disclosures tied to a recent Salesforce supply‑chain compromise.
Klue integration with Salesforce: how OAuth tokens were abused
On or around June 11, attackers exploited a "compromised legacy credential" associated with Klue's Salesforce integration, researchers told The Register. Klue — which provides market intelligence to more than 250,000 users worldwide — retained an integration that yielded OAuth tokens, and those tokens were used to access customers' Salesforce data. The intruders moved through the integration to obtain CRM records from Klue customers' Salesforce environments rather than exfiltrating proprietary code or engineering telemetry.
Icarus: a new extortion gang, not Shiny Hunters
The data theft and extortion operation behind the Klue compromise was attributed to a group calling itself Icarus. The group's leak site has been active since late April; observed IP addresses have included locations in Europe, though investigators noted those could be Tor or VPN exit nodes. Shiny Hunters — often assumed to be behind Salesforce-targeted thefts — denied involvement and told reporters they were "bummed" they were not the ones to have executed the attack. According to The Register, Icarus has both ransomed and publicly leaked portions of the stolen CRM data.
Scope of exposed data: Huntress, LastPass, and CRM records
Several organizations disclosed they were among the affected companies. Huntress said it was one of the compromised organizations and estimated the incident touched "hundreds" of companies; Klue did not publish a definitive count. The breached material was described repeatedly as CRM data — business contacts, price quotes, sales messaging, leads and similar sales-related records. Huntress stated explicitly that "no threat data, passwords, payment card information, or engineering data related to Huntress Agent or telemetry are affected."
LastPass confirmed that some of its customers' data was taken, including names, phone numbers, email addresses, physical addresses, support case data, and sales-related information. LastPass also reported that the intruders were deleting some of the stolen LastPass data, but the company and reporters cautioned there is uncertainty whether deletion reflects permanent removal or redistribution to other actors.
Huntress controversy: an ex‑employee's allegations and the company's response
The Register reported a separate, escalating dispute at Huntress after the firm publicly disclosed its victim status. A former security operations analyst posted criticism on LinkedIn — including a Pinocchio GIF — and alleged the company threatened legal action. That ex‑employee asserted the post stemmed from an earlier December incident and claimed another Huntress employee passed communications from U.S. law enforcement to a cybercriminal who is now allegedly targeting the ex‑employee and their family. The ex‑employee said they would provide proof in coming weeks and alleged the FBI had "caught" the alleged insider but that the person remained employed; The Register noted no Department of Justice notice or arrest tied to these claims was reported.
Huntress's CEO responded both to The Register and on Reddit, acknowledging the concerns and defending the firm's practice of engaging with potential cybercriminals to gather intelligence for partners and customers. The CEO said Huntress "firmly disagrees with these accusations" and is continuing to investigate while cooperating with law enforcement; he also rejected suggestions the company was prioritizing an IPO over safety.
Squidbleed, AI discovery, and the persistence of human error
Amid these supply‑chain and extortion episodes, researchers highlighted other vulnerability vectors found or amplified by AI. A parsing flaw in Squid — dubbed "Squidbleed" in reporting — can expose active proxy memory and therefore passwords, session tokens, and API keys if two conditions are met: the traffic is unencrypted HTTP and Squid's FTP gateway features are enabled. The bug dates to 1997 and was disclosed by Mythos, with prior discovery attributed to IL Security. Reporters and guests on The Register's podcast described a wider pattern: advanced models are surfacing old and new vulnerabilities at scale, overwhelming some open‑source maintainers and prompting floodbacks of AI‑generated bug reports.
Still, the conversation circled back to the human factor. Guests recounted classic lapses — an executive keeping an Excel file of employee credentials on a desktop, an old account for an auditor named Greg left active and later used to access a city's water system — to argue that careless password hygiene and administrative shortcuts remain central attack enablers. As one panelist put it, the damage wrought by a single "lazy sysadmin" can dwarf what automated tools accomplish on their own.
What this means for security teams, open‑source maintainers, and sysadmins
- Security teams and incident responders should anticipate CRM‑integration misuse: OAuth tokens tied to third‑party connectors can provide lateral access into customer environments, so clarity on token lifecycle and credential retirement is essential.
- Open‑source maintainers face an influx of AI‑discovered reports: volunteers may need triage resources as models surface long‑standing issues like the Squid parsing bug, especially when reports multiply across projects.
- Systems administrators should prioritize credential hygiene and legacy cleanup: the Klue case and the anecdotal examples in reporting underscore that expired or reused secrets and ad hoc admin practices remain high‑value targets for extortion groups.
The week’s thread is plain: sophisticated tooling, including AI, finds vulnerabilities at scale — but old human mistakes and lax credential practices still open the door. The Klue incident and the unfolding Huntress dispute leave concrete questions unresolved — about the full count of affected organizations, the fate of stolen LastPass records, and whether the ex‑employee’s promised documentation will surface — and those answers will determine how deeply this episode reshapes integration hygiene and disclosure norms.
