{"id":235225,"date":"2026-06-22T12:32:00","date_gmt":"2026-06-22T16:32:00","guid":{"rendered":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/22\/klue-hack-leads-to-data-breach-across-multiple-cybersecurity-companies\/"},"modified":"2026-06-22T13:35:09","modified_gmt":"2026-06-22T17:35:09","slug":"klue-hack-leads-to-data-breach-across-multiple-cybersecurity-companies","status":"publish","type":"post","link":"https:\/\/testing.news-you-need.com\/index.php\/2026\/06\/22\/klue-hack-leads-to-data-breach-across-multiple-cybersecurity-companies\/","title":{"rendered":"Klue Hack Leads to Data Breach Across Multiple Cybersecurity Companies"},"content":{"rendered":"<p><a href=\"https:\/\/cybersecuritynews.com\/klue-hack-cybersecurity-companies\/\">Klue Hack Leads to Data Breach Across Multiple Cybersecurity Companies<\/a><\/p>\n<p><a href=\"https:\/\/cybersecuritynews.com\/klue-hack-cybersecurity-companies\/\">https:\/\/cybersecuritynews.com\/klue-hack-cybersecurity-companies\/<\/a><\/p>\n<p>Publish Date: <a href=\"publish_date]\">2026-06-22 12:32:00<\/a><\/p>\n<p>Source Domain: <a href=\"cybersecuritynews.com\">cybersecuritynews.com<\/a><\/p>\n<p>Author: <a href=\"\"><\/a><\/p>\n<p> Using an unordered list, summarize the following article with between 4 and 8 key points.<br \/>\nA sophisticated supply chain attack on market intelligence platform Klue has compromised Salesforce data across at least nine organizations, including several high-profile cybersecurity firms, with the newly emerged Icarus extortion group claiming responsibility and threatening to release stolen data.<\/p>\n<p>The attack began on June 11\u201312, 2026, when threat actors gained unauthorized access to Klue\u2019s integration infrastructure using a compromised legacy credential tied to an integration service account.<\/p>\n<p>Leveraging that foothold, the attackers pushed a malicious code update to harvest OAuth tokens, the authorization keys that allow Klue to connect with customers\u2019 third-party platforms, most critically Salesforce.<\/p>\n<p>Klue identified the unauthorized activity on June 12 and notified customers the same day, immediately revoking affected credentials and disabling integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.<\/p>\n<p>Salesforce Data Exfiltration at Scale<\/p>\n<p>Once inside, attackers abused the Salesforce REST API to exfiltrate large volumes of CRM data, executing nearly\u00a01,000 API queries in just 15 minutes\u00a0during peak activity, with sustained extraction windows lasting over 6 hours, according to threat intelligence firm ReliaQuest.<\/p>\n<p>The stolen data was primarily business contact information, names, email addresses, job titles, phone numbers, business addresses, sales account data, pricing quotes, and sales communications.<\/p>\n<p>No core platform data, product telemetry, threat intelligence, passwords, or payment card information was reported compromised by any of the affected organizations.<\/p>\n<p>At least nine organizations have publicly disclosed the impact of the breach:<\/p>\n<p>HackerOne \u2014 Salesforce instance data accessed via the Klue integration<\/p>\n<p>Huntress \u2014 Business contacts, price quotes, and sales-related data were stolen; Huntress attributed the attack to the Icarus threat actor with high confidence.<\/p>\n<p>Jamf \u2014 Salesforce CRM data accessed; no impact on products or customer services.<\/p>\n<p>OneTrust \u2014 Notified customers of Salesforce data exposure.<\/p>\n<p>Recorded Future \u2014 Client contact names, email addresses, and potential contract information impacted.<\/p>\n<p>Snyk, Sprout Social, Insurity, Tanium \u2014 All confirmed Salesforce data accessed through the Klue integration.<\/p>\n<p>Gong \u2014 Internal licensed user data, including names, titles, and emails, accessed; no call recordings or customer transcripts affected.<\/p>\n<p>The cybercrime group Icarus publicly claimed the attack on its leak platform, stating it obtained data from multiple Klue partner Salesforce environments.<\/p>\n<p>The group issued a ransom demand, threatening to release the stolen data unless Klue complied. Huntress investigators matched indicators from its own compromised environment to Icarus infrastructure, expressing high confidence in the attribution. A ransom note was reportedly sent using an email address linked to an Australian company, potentially compromised as part of the operation.<\/p>\n<p>Klue engaged CrowdStrike for incident response and forensic investigation, notified law enforcement, and is conducting a full review of credential management, monitoring capabilities, and deployment processes.<\/p>\n<p>CEO Jason Smith acknowledged the incident publicly on June 22, characterizing it as \u201ca deliberate criminal act,\u201d and committed to transparency with customers through direct updates, emails, and 1:1 meetings.<\/p>\n<p>All affected companies stressed that the compromise was isolated to the Klue-Salesforce integration layer and did not involve their core platforms or internal infrastructure.<\/p>\n<p>The Klue breach underscores the cascading risk of OAuth-based supply chain attacks: a single compromised integration credential can unlock sensitive data across dozens of interconnected enterprise environments simultaneously.<\/p>\n<p>Follow us on\u00a0Google News,\u00a0LinkedIn,\u00a0and\u00a0X\u00a0to Get More Instant Updates.<\/p>\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Klue Hack Leads to Data Breach Across Multiple Cybersecurity Companies https:\/\/cybersecuritynews.com\/klue-hack-cybersecurity-companies\/ Publish Date: 2026-06-22 12:32:00&#8230;<\/p>\n","protected":false},"author":1,"featured_media":235226,"comment_status":"closed","ping_status":"","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"http:\/\/cybersecuritynews.com\/wp-content\/uploads\/2026\/06\/Klue-Hack-Cybersecurity-Companies.webp","fifu_image_alt":"","footnotes":""},"categories":[15],"tags":[30,24,34],"class_list":["post-235225","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-breach","tag-cybersecurity","tag-threat-actor"],"_links":{"self":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235225"}],"collection":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/comments?post=235225"}],"version-history":[{"count":1,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235225\/revisions"}],"predecessor-version":[{"id":235227,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/posts\/235225\/revisions\/235227"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media\/235226"}],"wp:attachment":[{"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/media?parent=235225"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/categories?post=235225"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/testing.news-you-need.com\/index.php\/wp-json\/wp\/v2\/tags?post=235225"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}