The breach occurred on June 11, and Klue spotted the intrusion a day later.
Klue: how the supplier responded
Klue, a market intelligence provider used by more than 250,000 companies worldwide, reported that the incident affected “a portion” of its integration infrastructure after an attacker gained access through “a compromised legacy credential associated with an integration service,” Klue CEO Jason Smith wrote in a blog post. According to Smith, the attacker obtained OAuth tokens used to connect Klue with certain third‑party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments.
Klue disconnected all of its integrations with Salesforce, Gong, HubSpot, SharePoint, and Google Drive and engaged CrowdStrike to assist with investigation and response. Klue has not published how many customers were affected and did not immediately respond to The Register’s inquiries.
Icarus: a new extortion crew and its tactics
Victim disclosures and posts on a leak site identified a previously little‑known extortion group calling itself Icarus as the actor behind the campaign. According to Icarus’ leak site, the group has been active since April 28. After compromising Klue, the criminals began posting victims and then emailing affected customers, demanding contact via Session IDs and threatening to make data public within 48 hours unless contacted.
Huntress shared one such extortion message with The Register: the subject line read “top secret email” and the sender purported to be “mr bean.” The email stated, in part, “This email is being written to you because your data as exfiltrated due to a breach happening to your partner, Klue.com (as them). Your Salesforce data has been downloaded. We advice you to write us on Session @” followed by a Session address, and threatened publication of the data unless Huntress initiated communication. A follow‑up email said “wrong session lol” and listed a corrected Session ID.
There is “very little publicly known about [Icarus],” Huntress’ Lindsey O’Donnell‑Welch told The Register. She said IP addresses from which the group accessed information include the Netherlands, France, and Ukraine, but cautioned that those could be VPN concentrators or Tor exit nodes and “we cannot draw any conclusions based on that information alone.”
Security and software vendors whose CRM data was accessed
Several security and software vendors have disclosed that the attackers accessed CRM data via the Klue‑Salesforce integration. Early disclosures included Huntress, which said it was among the “hundreds of Klue customers” affected. Huntress emphasized that the breach did not affect its tools or “highly secure information such as passwords.”
- Huntress: said “The data that was copied from our Salesforce account includes business contacts, price quotes, and other sales‑related data and messaging. No threat data, passwords, payment card information, or engineering data relating to the Huntress agent or telemetry we collect was affected.”
- Other named victims who disclosed CRM access: Recorded Future, Tanium, ReliaQuest, Jamf, Gong, HackerOne, Kudelski Security, Snyk, Insurity, and Sprout Social.
Victim companies have generally stated there is no indication their products or infrastructure were compromised and that this security incident appears specific to CRM data accessed through the Klue integration.
Mandiant, ReliaQuest and incident guidance
Mandiant CTO Charles Carmakal urged organizations using Klue integrations to “immediately audit their systems and monitor application logs for evidence of compromise over the past few weeks. Rotate credentials as appropriate based on the scope of compromise.” ReliaQuest noted that the attack “resembles the 2025 and 2026 third‑party OAuth abuse campaigns against Salesforce,” underlining that the technique focuses on stolen or abused OAuth tokens leveraged through trusted integrations.
Klue’s use of legacy credentials to obtain OAuth tokens and the company’s decision to sever multiple integrations were the centerpieces of early containment and remediation actions.
How security vendors, enterprise customers, and law enforcement are positioned
- Security vendors: Those publicly acknowledging impact — including Huntress, Recorded Future, Tanium, ReliaQuest, Jamf, Gong, HackerOne, Kudelski, Snyk, Insurity, and Sprout Social — are focusing disclosures on CRM data loss and asserting that product infrastructure and telemetry were not affected. Huntress framed its approach as “radical transparency about security incidents, including when it affects our company.”
- Enterprise customers and procurement leaders: Organizations that rely on Klue integrations will need to audit application logs, rotate credentials and OAuth tokens where appropriate, and review third‑party connections to CRM data, following the advice of investigators such as Mandiant’s Charles Carmakal.
- Law enforcement and investigators: The scale of a supply‑chain compromise of this type “paints an equally large target on the intruders’ collective backs,” the reporting noted, and observers expect additional law‑enforcement and third‑party security scrutiny in the coming days.
The breach highlights a familiar but evolving danger: when a widely used integration is abused, CRM systems and sales data across many companies can be exposed rapidly. With Icarus posting victims and sending extortion demands, and with Klue and third parties conducting active investigations, the near term will be dominated by audits, credential rotations, and forensic follow‑up — and by the answer to the open question the record leaves: how extensive was OAuth token abuse across the customer base. Expect further public disclosures and law‑enforcement engagement as that work proceeds.
