Klue Supply Chain Breach: Icarus Steals Salesforce Data From Huntress
Published
Key Takeaways
- Icarus Claim: Huntress attributes the Klue supply chain attack to a new extortion group called Icarus, active since April 28, 2026.
- Token Theft: The compromise began on June 11 when attackers pushed a code update to steal OAuth tokens connecting Klue to customer systems.
- Data Exfiltrated: Klue said Salesforce and Gong data were stolen, including business contacts, price quotes, and sales communications.
Huntress has disclosed that it was among many organizations affected by a supply chain attack on Klue, a market intelligence platform. In a report published June 18, 2026, the cybersecurity firm detailed how a threat actor compromised Klue's backend and exfiltrated CRM data, including Huntress's own Salesforce records.
How the Klue Compromise Unfolded
The attack began on June 11, when anomalous behavior surfaced in a Klue system connecting to third-party integrations. Attackers pushed a code update capable of harvesting OAuth tokens that customers use to link Klue to their own platforms.
Huntress determined the actor leveraged a long-disused but still active credential, originally created by Klue to prototype an abandoned integration.
Klue rapidly deactivated OAuth credentials and temporarily disabled integrations with:
- Salesforce,
- HubSpot,
- SharePoint,
- Zoom,
- Gong,
- Chorus,
- Clari,
- Google Drive,
- Slack App.
Salesforce announced it had disabled the connection between the customer-installed Klue Battlecards app and Salesforce as a response to the security incident.
The Huntress data breach included business contacts, price quotes, and sales communications. No threat intelligence, passwords, payment card information, or engineering telemetry was affected, and the Huntress product and infrastructure were not compromised.
Attributing the Attack to Icarus
On June 16, Huntress staff received extortion emails warning that their data had been downloaded. The actor, signing as "Mr. Bean," provided a Session Messenger ID matching the dark web leak site of a new ransomware group dubbed Icarus.
The group, active since April 28, 2026, has historically posted exfiltrated data samples on gofile.io. Given the matching Session IDs, Huntress has high confidence that Icarus is responsible. The group warned that other big corporations will be listed.
ReliaQuest recommends to:
- Revoke and rotate credentials and tokens.
- Review Salesforce API activity.
- Lock down API access to known infrastructure.
In other recent news, Nintendo confirmed that TinyPulse data was stolen, the EvilTokens PhaaS kit abuses the OAuth device code flow in Microsoft 365, and ShinyHunters published Infinite Campus data in an extortion campaign linked to Salesforce.
Other cybersecurity incidents announced this year that reportedly occurred via third parties include Australian Clinical Labs’ SunDoctors, Hims & Hers, Adidas, Inditext, and Betterment.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular