Klue OAuth Supply-Chain Breach Exposed Salesforce Data Across Multiple Customers
Attackers breached Klue, a market intelligence platform, by abusing a compromised legacy integration credential and planting malicious code that harvested customer OAuth tokens from Klue's integration infrastructure. The stolen tokens were then used to access connected Salesforce environments through the Klue Battlecards app and exfiltrate CRM data via Salesforce REST API queries, with reporting describing automated Python-based collection, burst querying, and use of endpoints such as /services/data/v59.0/query/*. Klue said it detected unauthorized activity on June 12, revoked affected credentials and tokens, removed the malicious code, disabled impacted integrations, engaged CrowdStrike, and notified law enforcement, while Salesforce separately disabled the Klue Battlecards connection and said the incident did not result from a vulnerability in the Salesforce platform itself.
The breach has been linked by Huntress and other responders to the Icarus extortion group, which allegedly sent ransom emails and threatened to leak stolen data on its site. Publicly disclosed victims include Huntress, Recorded Future, Jamf, Tanium, HackerOne, OneTrust, Snyk, Sprout Social, Gong, Insurity, and others, with exposed information generally limited to business CRM records such as contacts, account data, quotes, sales communications, and contract-related details. Affected companies said there was no evidence that core products, internal infrastructure, passwords, payment card data, engineering systems, or customer security telemetry were compromised, but several warned that the stolen contact data could be used in follow-on phishing and social engineering campaigns.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Icarus sets June 22 deadline to publish stolen data
SecurityWeek reported that Icarus threatened to publish the stolen data unless negotiations occurred by 2026-06-22. This marked a public escalation of the extortion campaign following the compromise of Klue-connected Salesforce environments.
More victims publicly disclose impact from Klue breach
By 2026-06-22, at least nine organizations had publicly disclosed impact from the Klue incident, including HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Tanium, Insurity, Sprout Social, and Gong. Disclosures consistently described the stolen information as Salesforce business or CRM data rather than compromise of core products or internal infrastructure.
Icarus publicly claims the Klue attack on leak site
On 2026-06-19, reporting said the Icarus extortion group publicly claimed responsibility for the Klue intrusion on its leak site. The claim followed earlier victim extortion emails and tied the broader Salesforce data theft campaign to Icarus rather than older ShinyHunters-branded activity.
HackerOne discloses copied Salesforce CRM data
On 2026-06-19, HackerOne disclosed that the Klue breach led to unauthorized access and copying of CRM data through Klue's OAuth integration with its Salesforce instance. HackerOne said its products and infrastructure were not impacted and that customer vulnerability data was not stored in the affected CRM environment.
Klue publicly confirms security incident
By 2026-06-19, Klue had publicly confirmed that attackers used a compromised legacy credential to obtain OAuth tokens for third-party platforms, including Salesforce, and access data in multiple customers' connected environments. Klue said it revoked affected credentials and tokens, removed unauthorized code, engaged CrowdStrike, and notified law enforcement.
Tanium discloses CRM data exposure via Klue
On 2026-06-18, Tanium disclosed that unauthorized access to its Salesforce CRM data occurred through Klue's OAuth integration. Tanium said the incident did not affect its products or cloud infrastructure and was limited to sales account and business contact information.
Jamf discloses unauthorized access to Salesforce data
On 2026-06-18, Jamf disclosed that an unauthorized party accessed data in its Salesforce instance through Klue's integration. Jamf said the incident was confined to Klue's environment and that it found no evidence of lateral movement into its own products or core infrastructure.
Huntress publicly discloses impact and attributes attack to Icarus
On 2026-06-18, Huntress disclosed that its Salesforce data was stolen in a Klue-originated supply chain attack and said the exposed data included business contacts, quotes, sales communications, and competitive reports. Huntress assessed with high confidence that the extortion group Icarus was responsible for the Klue compromise.
CFGI targeted in ShinyHunters extortion campaign
In March 2026, financial consulting and advisory firm CFGI was targeted in a pay-or-leak extortion campaign attributed to ShinyHunters. The actor later publicized data it claimed to have obtained, including corporate contact information affecting 243,000 unique email addresses.
Recorded Future confirms Salesforce impact
On 2026-06-17, Recorded Future confirmed that a compromised OAuth token tied to the Salesforce-Klue integration affected elements of its Salesforce account. The company said the exposure appeared limited to business data such as client contact names, email addresses, and potentially some contract information.
Salesforce disables Klue Battlecards connection
On 2026-06-17, Salesforce disabled the Klue Battlecards app connection after detecting unusual activity that may have led to unauthorized access to a subset of customer data. Salesforce said the issue was limited to Klue's integration and did not stem from a vulnerability in Salesforce itself.
Huntress receives extortion emails tied to Icarus
On 2026-06-16, Huntress said it received extortion emails after data was stolen through the Klue compromise. Huntress linked the messages to the emerging Icarus group using matched Session Messenger identifiers and related infrastructure.
Klue issues customer alert and disables integrations
On 2026-06-13, Klue issued a general customer alert about the incident and suspended or disabled multiple integrations while investigating. Reporting says this included revoking customer OAuth credentials and disrupting connections to Salesforce and other SaaS platforms.
Klue detects unauthorized activity and begins containment
On 2026-06-12, Klue detected unusual or unauthorized activity in its environment tied to the compromised integration layer. Klue began containment by revoking affected credentials and tokens, removing unauthorized code, and disabling impacted integrations.
Attackers compromise Klue backend using legacy credential
On 2026-06-11, attackers used a compromised dormant or legacy Klue credential tied to an integration service or prototype to access Klue's backend infrastructure. They then inserted malicious code to harvest customer OAuth tokens used by connected third-party services, especially Salesforce.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
33 references tracked. Mallory keeps watching after this page renders.
Klue Hack Leads to Data Breach Across Multiple Cybersecurity Companies
cybersecuritynews.com
Open sourceSalesforce Disables Klue Integration After OAuth Token Theft Hits Customer Data
hackread.com
Open sourceMore Cybersecurity Firms Disclose Impact From Klue Hack - SecurityWeek
securityweek.com
Open sourceDetecting the Klue supply chain attack in Salesforce instances | Datadog Security Labs
securitylabs.datadoghq.com
Open sourceKlue Third-Party Cybersecurity Incident
jamf.com
Open sourceTrust Status
status.salesforce.com
Open sourceKlue Security Incident - June 2026 - Sprout Social Support
support.sproutsocial.com
Open sourceUpdate from OneTrust on Klue-Salesforce Security Incident | Blog | OneTrust
onetrust.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
ShinyHunters Claims Cisco Breach Exposed Salesforce Records and Cloud Data
ShinyHunters has claimed responsibility for breaching Cisco and stealing more than **3 million Salesforce records** along with internal corporate data, **GitHub repositories**, and contents from **AWS S3 buckets**, then posted a **"FINAL WARNING"** on its leak site threatening to publish the data after April 3. Reports said the alleged haul may include information tied to Cisco customers, employees, and personnel from U.S. and foreign government agencies, while screenshots shared by the group purportedly showed access to Cisco-linked AWS infrastructure and multiple connected cloud accounts. The intrusion was linked in reporting to three alleged access paths involving **Salesforce CRM**, **Salesforce Aura/Experience Cloud**, and AWS environments, and to activity tracked as **`UNC6040`** and **`UNC6395`**. Threat intelligence cited in the coverage said the attackers have used **vishing** to trick employees into approving malicious Salesforce OAuth applications, then abused stolen tokens to bypass MFA and move deeper into cloud environments; recommended defenses included auditing connected OAuth apps, revoking suspicious tokens, tightening API access controls, and monitoring for unauthorized Salesforce Data Loader activity. Cisco had not publicly addressed the March 2026 extortion claim at the time of reporting.
May 2, 2026
Massive OAuth Abuse Exposes Salesforce Customer Data via Third-Party Integrations
A significant wave of OAuth-related breaches has recently impacted the Salesforce ecosystem, resulting in the exposure of sensitive data from over 700 organizations and affecting nearly 1.5 billion records. The breaches were not due to a direct compromise of Salesforce itself, but rather stemmed from attackers exploiting weaknesses in third-party OAuth integrations connected to Salesforce environments. At the recent Dreamforce conference, Salesforce emphasized security as a shared responsibility and introduced new AI-driven security and compliance agents, but notably did not address the recent OAuth breach incidents that have led to more than 70 lawsuits. Security experts highlighted this omission, noting that the lessons from these breaches are critical for the future of interconnected, AI-driven business platforms. According to Google Threat Intelligence Group, the attackers systematically exported large volumes of data from numerous corporate Salesforce instances by abusing OAuth tokens. These tokens, which are designed to allow secure, delegated access to cloud applications, were leveraged by threat actors to gain persistent, high-privilege access to customer data. Proofpoint researchers have further warned that attackers are increasingly abusing both external and internal OAuth-based applications to maintain access to cloud environments, even after password resets or the enforcement of multifactor authentication. Internal OAuth applications, which are registered within an organization’s own cloud tenant and typically trusted, can be particularly difficult to detect when compromised. Attackers have developed automated toolkits to register malicious OAuth applications with pre-configured permissions, using compromised admin accounts to escalate privileges and maintain persistence. The breaches underscore the risks inherent in SaaS supply chains, where third-party integrations can become a vector for large-scale data exfiltration. Security professionals stress the importance of monitoring OAuth app permissions, regularly auditing third-party integrations, and educating users about the risks of granting excessive access. The incident has prompted calls for greater transparency and proactive security measures from both SaaS providers and their customers. The scale of the breach and the sophistication of the attack methods highlight the evolving threat landscape facing cloud-based business platforms. Organizations are urged to review their OAuth security posture and implement robust controls to mitigate similar risks in the future. The incident serves as a stark reminder that even trusted cloud environments can be compromised through indirect attack vectors, necessitating a holistic approach to cloud security.
Mar 21, 2026
Extortion Attacks Targeting Salesforce Customers
A series of extortion attacks have targeted organizations using Salesforce, resulting in the leakage of millions of records. Attackers have exploited vulnerabilities or misconfigurations in Salesforce environments to gain unauthorized access to sensitive customer and business data. Once inside, the threat actors exfiltrated large volumes of information, which they then used as leverage in extortion attempts against the affected companies. The attackers threatened to publicly release or sell the stolen data unless their demands were met, putting significant pressure on the victim organizations. Security experts have highlighted that these incidents demonstrate the growing risk of supply chain and third-party platform attacks, as Salesforce is widely used across industries for customer relationship management. The attacks have raised concerns about the adequacy of security controls and monitoring within cloud-based SaaS platforms, especially when organizations rely heavily on default configurations. In response, security professionals have urged companies to review their Salesforce security settings, implement robust access controls, and monitor for unusual activity. The incidents have also prompted calls for better incident response planning, as organizations must be prepared to act quickly in the event of a breach involving critical business platforms. The extortion group responsible for these attacks has demonstrated technical sophistication, leveraging both technical exploits and social engineering tactics to maximize their impact. The exposure of millions of records has potential regulatory and reputational consequences for the affected organizations, particularly in jurisdictions with strict data protection laws. Security podcasts and news outlets have discussed the technical details of the attacks, the methods used by the extortionists, and the broader implications for cloud security. Experts have also noted that these attacks may inspire copycat incidents targeting other SaaS providers. The events underscore the importance of regular security assessments and employee training to defend against evolving threats. Organizations are advised to stay informed about emerging attack techniques and to collaborate with their SaaS vendors to ensure comprehensive security coverage. The Salesforce extortion attacks serve as a stark reminder of the risks associated with cloud service dependencies and the need for proactive cybersecurity measures.
Mar 21, 2026