Klue — OAuth integration compromise feeding Icarus Salesforce data theft

Klue, a Vancouver-based competitive- and market-intelligence SaaS platform, identified unauthorised activity inside its integration infrastructure on 12 June 2026. The company traced the intrusion to a compromised legacy credential, which the attacker used to push a code update into Klue’s integration layer. That update harvested the OAuth tokens Klue holds to connect into customer environments — most importantly Salesforce, but also Gong, HubSpot, SharePoint, Zoom, Slack and others. With valid tokens in hand, the attacker reached straight into customers’ Salesforce and Gong instances and exfiltrated data, without ever touching a customer password or triggering a customer-side login alert.

Public disclosure came between 18 and 19 June 2026, when Klue and several named victims went public and a newly surfaced extortion group calling itself Icarus claimed the attack and began emailing victims and listing them on a leak site. The confirmed victim list has grown through the week and skews heavily towards the security industry itself: Huntress, HackerOne, Recorded Future, Tanium, Jamf, Sprout Social and Insurity among them, alongside Gong. The stolen material is described as Salesforce CRM and sales-conversation data — business contacts, opportunity notes, pricing and pipeline detail rather than bulk consumer PII.

Klue’s response, with CrowdStrike engaged for incident response, was to revoke the affected credentials and OAuth tokens, disable the impacted integrations, and remove the unauthorised code. Salesforce separately disabled the Klue connected app across its platform, cutting the token-abuse path at the provider end.

This incident belongs to the same broad theme as the ShinyHunters Salesforce cluster already in this index — Salesloft/Drift, Cushman & Wakefield, Pitney Bowes and Vimeo/Anodot — but the access technique is materially different and worth separating. The ShinyHunters intrusions started with a phished or vished employee identity. Klue started with a poisoned third-party application: the attacker did not need anyone at the victim organisations to fall for anything. They compromised one upstream vendor, stole the OAuth grants those victims had already issued, and walked in through a trusted, pre-authorised channel. From the victim’s logs it looks like Klue, because it is Klue.

The defender lesson sits in the part most organisations never inventory: the OAuth grants and connected apps that third-party SaaS tools hold into their crown-jewel systems. A breach of any one of those vendors converts directly into a breach of your Salesforce. Token scope, grant expiry, and the ability to see and revoke connected-app sessions independently of the vendor are the controls that decide how bad this gets.

A deep-dive will follow once the full victim list settles, the regulatory and customer-notification picture firms up, and the token-harvesting code path is documented in detail.