Breach on market intelligence platform Klue exposes multiple cybersecurity vendors to ransom
- Marijan Hassan - Tech Journalist
- 3 hours ago
- 3 min read
A cyberattack targeting market intelligence platform Klue has led to the theft of customer data belonging to several cybersecurity firms in yet another high profile third-party breach. The intrusion, which began on June 11, 2026, bypassed standard edge defenses by exploiting a single forgotten credential. Once inside Klue's infrastructure, the attackers systematically harvested long-lived authentication tokens, allowing them to impersonate the platform and pull massive amounts of data from downstream corporate clients.

Prominent security vendors, including Huntress, Recorded Future, Tanium, LastPass, Jamf, and Snyk, have stepped forward to confirm that their Salesforce environments were breached during the automated raid.
Forgotten priveleged account
According to a forensic timeline published by Huntress and corroborated by Klue CEO Jason Smith, the breach originated from a failure in legacy system housekeeping. Threat actors successfully identified and exploited a "ghost credential" - a long-disused but still active system login that Klue engineers had originally created years prior to prototype a third-party integration they later abandoned.
Six-hour bulk extraction windows
Once the tokens were secured, the threat actors could initiate connection requests to the Salesforce accounts of their victims that appeared completely authentic, originating from a trusted, pre-approved application.
Subsequent data harvesting was massive and highly concentrated, featuring bursts of nearly 1,000 parallel database queries in under 15 minutes. According to reports, some extraction windows remained active for more than six consecutive hours.
The exfiltrated datasets varied by target but focused strictly on commercial CRM records, corporate metadata, and business relationship data. Impacted cybersecurity firms confirmed the exposure of:
Corporate client rosters: Full names, job titles, business addresses, work emails, and phone numbers.
Commercial financial data: Active subscription details, products trialed, and customized sales price quotes.
Sales logs: Historic communications and internal messaging exchanged within sales pipelines. The targeted firms emphasized that the blast radius was entirely contained to their Salesforce environments. Because the exploit relied strictly on the permission parameters granted to the Klue Battlecards application, the attackers could not cross into core software products, internal source code repositories, threat intelligence telemetry, or live user authentication systems.
The targeted firms emphasized that the blast radius was entirely contained to their Salesforce environments. Because the exploit relied strictly on the permission parameters granted to the Klue Battlecards application, the attackers could not cross into core software products, internal source code repositories, threat intelligence telemetry, or live user authentication systems.
Attribution
The campaign has been attributed to a newly emerged cyber extortion syndicate calling itself Icarus, which security researchers believe operates closely with the Russian-aligned threat group UNC6395 and the notorious ShinyHunters collective.
On June 19, Icarus officially listed Klue on its dark-web leak site, subsequently publishing raw proof-of-concept data archives stolen from Klue's partner companies.
Mitigation
In response to the cascading breach, Salesforce took the drastic step of permanently disabling the Klue app integration across its entire global platform, preventing any organizations from reconnecting the software until further notice. Klue has since retained CrowdStrike to oversee a comprehensive forensic cleanup and code-auditing process.
Security teams managing active Salesforce, HubSpot, Google Drive, or Slack integrations are being urged to treat all connected API tokens as highly privileged domain credentials. Best-practice directives issued this weekend mandate that enterprises immediately rotate all active OAuth refresh tokens, deploy continuous API-layer logging to flag bulk data extraction anomalies, and strictly restrict automated app connections to designated, company-owned IP pools.












