Klue Breach Enables Hackers to Compromise Cybersecurity Firms

Staff Editor 2026-06-22
Klue Breach Enables Hackers to Compromise Cybersecurity Firms

Klue Breach Enables Hackers to Compromise Cybersecurity Firms

https://www.infosecurity-magazine.com/news/klue-breach-compromise/

Publish Date: 2026-06-22 06:15:00

Source Domain: www.infosecurity-magazine.com

Author:

Using an unordered list, summarize the following article with between 4 and 8 key points. Several companies have disclosed that they were affected by a breach of business intelligence provider Klue, including a number of cybersecurity firms.

Huntress, Recorded Future, Jamf and Tanium have all acknowledged using Klue’s intelligence services and confirmed that the breach enabled unauthorized access to their Salesforce accounts via stolen OAuth tokens used for Klue integrations.

Klue Battlecards Breach and Salesforce OAuth Token Abuse

According to an official statement published by Klue’s CEO, Jason Smith, on June 19, the company detected an intrusion on June 12.

An unauthorized actor gained access to Klue’s integration infrastructure, notably the Klue Battlecards app, through a compromised legacy credential. They used this access to obtain OAuth tokens – a secure digital key that allows an application to access a firm’s data on another service without needing a password – and connect Klue to third-party platforms, including Salesforce.

They then accessed Klue customer data and leveraged the stolen OAuth tokens to impersonate Klue within those connected Salesforce environments, exfiltrating sensitive customer information before the activity was detected and contained.

Klue’s Smith said the company immediately responded by revoking affected credentials and tokens, removing unauthorized code and disabling potentially impacted integrations.

Klue also notified law enforcement and launched an internal investigation and comprehensive review of its security controls. It has now engaged CrowdStrike to support with forensics.

Customers have been regularly updated about what happened and provided with remediation guidance through various channels.

Salesforce also notified the public on June 17 it has disabled Klue Battlecards integration.

Klue Breach Affects Cybersecurity Firms

In customer-facing blog posts, Huntress, Recorded Future, Jamf and Tanium confirmed that while the breach originated through Klue’s infrastructure, their own products and services remained unaffected.

Tanium reassured customers that “there was no impact on our ability to serve them.”

Meanwhile Jamf stated, “We have no evidence of lateral movement and have contained the incident on our end.”

However, Huntress warned that customer data may have been compromised, including business names, products trialed/used, subscription details, business contact information and marketing and sales communications.

Jamf also warned customers about potential phishing campaigns leveraging the stolen Salesforce data, advising vigilance against malicious actors posing as Jamf employees.

Recorded Future disabled Klue’s integration and conducted a forensic analysis, emphasizing the need for continuous monitoring of third-party integrations. The company said, “This incident underscores the critical need for continuous monitoring of third-party integrations, especially those with privileged access to sensitive data.”

ReliaQuest was the first to detect the suspicious and alerted Klue. However, the company told Infosecurity that it does not use Klue and was not affected by the breach.

Commenting on how the attackers exploited OAuth tokens to pivot into connected Salesforce environments, the firm said: “The adversary’s ability to move laterally from a compromised integration to a customer’s CRM demonstrates the evolving tactics of modern threat actors.”

Non-cybersecurity firms were also affected, including insurance service provider Insurity and social media analytics platform Sprout Social.

The breach was claimed on June 19 by Icarus, a recently identified cyber extortion group. Icarus has just three victims listed on its data leak site, according to ransomware tracking website Ransomware.live.

On June 20, the group issued a deadline message to all Klue clients it claims to have contacted, warning that they have until June 22 to respond before their data is released.

This article was updated on June 22 to add ReliaQuest’s comments, highlighting the company has not been affected by the Klue breach.

Read now: Qualys, Tenable Latest Victims of Salesloft Drift Hack

More Stories

CISA urges device hardening after thousands of Fortinet credentials compromised

CISA urges device hardening after thousands of Fortinet credentials compromised

Staff Editor 2026-06-22
BarracudaONE® Named Best Unified Cybersecurity Platform by The Hacker News

BarracudaONE® Named Best Unified Cybersecurity Platform by The Hacker News

Staff Editor 2026-06-22
An Eye for AI: Cybersecurity, AI & Digital Protection with FUNCSHUN CTO Luis Arango

An Eye for AI: Cybersecurity, AI & Digital Protection with FUNCSHUN CTO Luis Arango

Staff Editor 2026-06-22

You may have missed

CISA urges device hardening after thousands of Fortinet credentials compromised

CISA urges device hardening after thousands of Fortinet credentials compromised

Staff Editor 2026-06-22
BarracudaONE® Named Best Unified Cybersecurity Platform by The Hacker News

BarracudaONE® Named Best Unified Cybersecurity Platform by The Hacker News

Staff Editor 2026-06-22
An Eye for AI: Cybersecurity, AI & Digital Protection with FUNCSHUN CTO Luis Arango

An Eye for AI: Cybersecurity, AI & Digital Protection with FUNCSHUN CTO Luis Arango

Staff Editor 2026-06-22
When AI Writes the Scam: How Artificial Intelligence Is Making DNS Abuse Harder to Detect

When AI Writes the Scam: How Artificial Intelligence Is Making DNS Abuse Harder to Detect

Staff Editor 2026-06-22
AI is getting women wrong, the cost is growing

AI is getting women wrong, the cost is growing

Staff Editor 2026-06-22

Terms and Conditions - Privacy Policy