A supply chain attack against competitive intelligence platform Klue has led to the exposure of Salesforce data belonging to multiple organizations, including several well-known cybersecurity companies.
The incident highlights how a single compromised integration credential can create a cascading security event across numerous interconnected cloud environments.
“Our investigation determined that an attacker gained access through a compromised legacy credential associated with an integration service,” said Jason Smith, CEO of Klue in their incident notification.
“SOC 2 reports, access controls, encryption standards, and API security reviews remain important, but they are not sufficient when a partner’s data may directly influence AI systems or automated security workflows,” said Ben Faircloth, Senior Director of AI Solutions at Seekr, in an email to eSecurityPlanet.
Key Takeaways
- A supply chain attack against Klue exposed Salesforce data across at least nine organizations, including several cybersecurity firms.
- Attackers gained access through a compromised legacy credential and used stolen OAuth tokens to access connected Salesforce environments.
- Threat actors reportedly executed nearly 1,000 Salesforce API queries in 15 minutes and maintained data extraction activity for more than six hours.
- The exposed data included business contacts, sales account information, pricing quotes, and sales communications, but not passwords, payment card data, or core platform systems.
- The incident highlights the importance of securing third-party integrations, monitoring OAuth access, and reviewing vendor security controls.
Inside the Klue Incident
The incident affected at least nine organizations that used Klue’s Salesforce integration, including HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, Insurity, Tanium, and Gong.
Several of the companies have already released statements that the compromise was limited to data accessible through the Klue-Salesforce integration and did not impact core products, customer-facing services, internal networks, or production environments.
How the Attack Worked
According to Klue’s investigation, the attack began between June 11 and June 12, 2026, when threat actors gained access to a legacy credential associated with an integration service account.
Using that foothold, the attackers deployed malicious code designed to harvest OAuth tokens, which are commonly used to authenticate trusted connections between applications without requiring users to repeatedly enter credentials.
Because OAuth tokens can grant access to connected applications and data, they have become a common target in supply chain attacks.
After obtaining the tokens, the attackers leveraged them to access customer Salesforce environments and interact directly with Salesforce APIs.
The threat actors executed nearly 1,000 API queries within a 15-minute period during peak activity and maintained data extraction operations for more than six hours.
The large-scale API activity allowed the attackers to exfiltrate customer relationship management (CRM) data from multiple organizations before the activity was detected and contained.
What Data Was Exposed
The exposed information reportedly included business contact records, names, email addresses, phone numbers, job titles, business addresses, sales account information, pricing quotes, and sales-related communications.
There is no evidence that passwords, payment card information, threat intelligence data, product telemetry, or other sensitive operational systems were compromised during the incident.
The cybercrime group Icarus has publicly claimed responsibility for the attack and threatened to release the stolen data unless ransom demands are met.
Klue has since revoked affected credentials and tokens, disabled impacted integrations, engaged CrowdStrike to support incident response and forensic investigations, and notified law enforcement.
How to Reduce Third-Party Risk
The incident demonstrates how compromised integration credentials can be used to access data across connected cloud environments.
Organizations that rely on OAuth-enabled integrations should review access permissions, monitoring capabilities, and vendor security practices on a regular basis.
- Audit OAuth-connected applications regularly and remove unused or unauthorized third-party integrations.
- Enforce least-privilege access by limiting the data, permissions, and API access granted to connected applications.
- Rotate API credentials, service account credentials, and integration tokens regularly to reduce the impact of credential compromise.
- Monitor cloud platforms and APIs for unusual activity, including excessive queries, large-scale exports, and anomalous access patterns.
- Deploy SaaS security posture management (SSPM) and data loss prevention (DLP) tools to identify risky configurations and detect unauthorized data movement.
- Conduct regular security assessments of vendors and require strong credential management, authentication controls, and integration security practices.
- Test incident response plans through tabletop exercises and attack simulations that include third-party, supply chain, and SaaS compromise scenarios.
Collectively, these steps can help organizations reduce exposure to third-party risks while improving resilience.
Bottom Line
The incident illustrates the operational challenges that can arise when trusted third-party integrations are compromised.
Organizations should ensure they have appropriate governance, monitoring, and response processes in place to manage vendor-related risks and maintain visibility.
Some organizations are using zero trust solutions to continuously verify access and limit permissions, helping reduce the risk of unauthorized access and lateral movement.