A sweeping supply chain attack against Klue, the Vancouver-based competitive intelligence platform, has triggered cascading data breaches at more than a dozen major technology and cybersecurity firms, including Huntress, Recorded Future, Jamf, and Tanium. The Icarus extortion group compromised a legacy integration credential at Klue on June 11, 2026, planted malicious code to harvest customer OAuth tokens, and used those tokens to pillage connected Salesforce environments for sensitive business data. The incident has once again exposed the fragility of SaaS-to-SaaS trust relationships and forced Salesforce to disable Klue’s Battlecards app entirely.

Icarus Extortion Group Breaches Klue to Steal Salesforce Data From Major Cybersecurity Firms
How the Attack Unfolded
The intrusion began on June 11, 2026, when threat actors gained access to Klue’s integration infrastructure through a compromised legacy credential tied to an abandoned third-party integration prototype, as described by Jason Smith, the company’s CEO. Rather than exploiting a vulnerability in Klue’s core platform or in Salesforce itself, the attackers weaponized forgotten infrastructure, a credential created for prototyping and never deactivated.
With this foothold, the attackers pushed a malicious code update to Klue’s backend systems designed to collect OAuth tokens that customers used to connect Klue to their own environments, most notably Salesforce. These tokens function as secure digital keys, allowing trusted applications to communicate without repeated password authentication. Once stolen, they granted Icarus precisely the same access privileges that Klue itself enjoyed within each customer’s Salesforce instance.
Klue detected the unauthorized activity on June 12 and immediately began containment. The company revoked affected credentials and tokens, removed the malicious code, disabled impacted integrations, engaged CrowdStrike for forensic support, and notified law enforcement. On June 17, Salesforce took the additional step of disabling the Klue Battlecards app integration within its platform entirely, cutting off all Salesforce-to-Klue connections until further notice.
The Extortion Playbook
Icarus did not deploy ransomware or destroy systems. Instead, the group pursued a pure data theft and extortion model. Beginning on June 16, affected organizations received extortion emails with the subject line “top secret email” from a sender calling themselves “Mr. Brean.” The messages, written in broken English, threatened to publish stolen data within 48 hours unless victims initiated contact via Session Messenger. The Session IDs in these emails matched identifiers posted on the Icarus leak site, giving Huntress and other responders high-confidence attribution.
Icarus formally claimed responsibility on June 19, listing Klue on its data leak site alongside a warning to affected partner companies. On June 22, the group published 3.4 GB of Huntress data on its leak site, confirming the threats were not empty. The leaked files were hosted on infrastructure belonging to PROSPERO, a Russian bulletproof hosting provider whose IP addresses have previously been linked to exploitation campaigns targeting Ivanti Endpoint Manager Mobile.
Icarus is a relatively new threat. The group’s leak site has been active only since April 28, 2026, making this operation one of its first major campaigns. Researchers have found no evidence linking Icarus to ShinyHunters or UNC6395, the actors behind the earlier Salesloft Drift and Gainsight supply chain attacks against Salesforce, despite the apparent similarities in targeting and technique.
What Data Was Stolen
The scope of stolen data varies by victim but follows a consistent pattern. Across all affected organizations, the compromised information was limited to CRM data accessible through the Klue-Salesforce integration. No passwords, payment card data, product source code, threat intelligence, customer vulnerability reports, or engineering systems were breached.
Huntress confirmed that the stolen data included business contacts, price quotes, sales-related communications, and opportunity notes. Recorded Future reported exposure of client contact names, email addresses, and certain business contract information. Tanium disclosed that opportunity names, values, sales messaging, and business contact details, including phone numbers and social media contacts, were accessed. Jamf, Gong, HackerOne, Snyk, OneTrust, Sprout Social, and Insurity have all issued similar disclosures confirming business contact and sales account data exposure.
While none of this data constitutes traditional authentication material, it is exceptionally valuable for follow-on attacks. Stolen business contacts enable highly convincing spear-phishing and business email compromise campaigns. Pricing information and opportunity notes give adversaries insight into sales pipelines, customer relationships, and competitive positioning — intelligence that can be weaponized for secondary extortion, market manipulation, or targeted social engineering.
The Technical Details
ReliaQuest researchers provided the most detailed technical analysis of the attack methodology. After authenticating through the compromised Klue integration service account, the adversary generated fresh OAuth tokens and executed automated Python scripts identifiable by Python-urllib/3.12 and Python-urllib/3.14 user-agent strings.
The attack proceeded methodically. First, the scripts enumerated each target organization’s object catalog. Then they looped REST API queries against the Salesforce query endpoint at/services/data/v59.0/query, paginating results through the QueryMore cursor. In one environment, researchers observed a concentrated burst of nearly one thousand queries in fifteen minutes. In another, the extraction window persisted for more than six hours.
The attacker infrastructure spanned IP addresses in the Netherlands, France, and Ukraine, though investigators cautioned that these locations likely represent VPN concentrators or Tor exit nodes rather than the actors’ actual locations. ReliaQuest noted that this is precisely the type of sustained, automated activity that should trigger alerts — but because it originated from a trusted integration account, it bypassed typical monitoring thresholds.
Why This Matters for Canadian Organizations
The Klue breach carries particular significance for Canadian organizations. Klue is headquartered in Vancouver, and according to market intelligence data, roughly 9.3 percent of its customer base — approximately sixteen Canadian organizations — use its platform. Any Canadian business with a Klue-to-Salesforce integration should immediately audit its access logs for anomalous API activity between June 11 and June 13.
Under PIPEDA, Canada’s private-sector privacy law, any organization that determines a breach of security safeguards involving personal information poses a “real risk of significant harm” must notify the Office of the Privacy Commissioner of Canada and affected individuals as soon as feasible. Business contact information — names, work emails, phone numbers, and titles — constitutes personal information under PIPEDA when it can be linked to an identifiable individual. Organizations that had CRM data exfiltrated through this incident should evaluate whether the sensitivity of the exposed information, combined with the probability of misuse by a known extortion group, meets that threshold.
Failure to report a notifiable breach can result in fines of up to $100,000 CAD per violation. More significantly, the reputational damage and operational disruption from a supply chain compromise of this magnitude can far exceed any regulatory penalty. The Canadian Centre for Cyber Security (CCCS) has repeatedly warned that SaaS supply chain attacks represent one of the fastest-growing threat vectors facing Canadian businesses, particularly those in the technology, financial services, and critical infrastructure sectors.
A Pattern of SaaS Supply Chain Compromise
The Klue incident is not an isolated event. It follows a clear pattern established by the Salesloft Drift attack in August 2025, the Gainsight compromise in November 2025, and a series of smaller third-party OAuth abuse campaigns that have collectively exposed data from hundreds of Salesforce-connected organizations. In each case, attackers understood a fundamental reality of modern cloud architecture: trusted integrations are non-human identities with persistent, often broad access to sensitive data, yet they are monitored far less closely than employee accounts.

The Klue attack also raises questions about organizational resilience. Klue underwent significant staff reductions in June 2025, cutting approximately 40 to 50 percent of its workforce as it pivoted toward AI-focused investments. While no direct causal link has been established, security professionals have noted that the company does not currently list a dedicated cybersecurity executive on its leadership page — a gap that may have contributed to the prolonged viability of a forgotten integration credential.
Key Takeaways
- The Icarus extortion group breached Klue’s integration infrastructure on June 11, 2026, using a compromised legacy credential to harvest customer OAuth tokens and steal Salesforce CRM data.
- Confirmed victims include Huntress, Recorded Future, Jamf, Tanium, HackerOne, Snyk, OneTrust, Gong, Sprout Social, and Insurity, with more disclosures expected.
- Stolen data is limited to business contacts, sales communications, pricing, and opportunity notes; no passwords, payment data, or product engineering systems were compromised.
- Icarus published 3.4 GB of Huntress data on its leak site on June 22, confirming an active extortion campaign targeting multiple victims simultaneously.
- The attack technique abusing trusted OAuth integrations follows a pattern seen in the Salesloft, Drift, and Gainsight supply chain attacks, signaling a sustained criminal focus on SaaS middleware providers.
- Klue is Vancouver-based, and approximately sixteen Canadian organizations in its customer base may be affected, triggering potential PIPEDA breach notification obligations.
- Detection is challenging because malicious API activity originates from trusted integration accounts, bypassing conventional anomaly detection thresholds.
What You Should Do Now
- Audit your Salesforce integration logs immediately for anomalous API queries between June 11 and June 13, 2026. Look for Python-urllib user-agent strings, bursts of query activity against
/services/data/v59.0/query, and large-scale data exports via QueryMore pagination. - Inventory every OAuth-connected third-party application in your SaaS environment. Remove unused, unauthorized, or abandoned integrations. Rotate all active integration tokens and service account credentials on a regular schedule.
- Evaluate PIPEDA breach notification obligations if your organization is Canadian and had CRM data exposed through the Klue incident. Document your risk-of-harm assessment and consult legal counsel if the threshold for notification is unclear.
- Implement SaaS Security Posture Management (SSPM) and Data Loss Prevention (DLP) tooling to gain continuous visibility into third-party integrations, risky configurations, and unauthorized data movement across cloud applications.
- Alert your sales and customer-facing teams to the heightened risk of spear-phishing and social engineering campaigns using Klue-specific or Salesforce-specific context derived from stolen CRM data. Verify unexpected communications through independent channels.
- Apply the principle of least privilege to all integration accounts. Limit the data scopes, API permissions, and object access granted to third-party applications to only what is strictly necessary for their function. Monitor these non-human identities with the same rigor applied to employee accounts.