Klue supply-chain breach exposes customers' Salesforce data

On 19 June 2026, cybersecurity firms Huntress and Recorded Future disclosed that their Salesforce data had been stolen through a supply-chain compromise of Klue — the Vancouver-based competitive-intelligence and win-loss platform whose app integrates with customers' CRMs. The breach is a textbook example of how a single trusted SaaS vendor can become a conduit into the data of many downstream organisations.

What happened

According to Klue's customer notifications and the affected firms' disclosures, attackers first gained access to Klue's backend infrastructure using a long-dormant API credential that had originally been created for an abandoned third-party integration prototype. From that foothold they pushed a code update designed to harvest OAuth tokens for customers' connected applications. Those tokens were then used to reach into customers' downstream systems — most prominently their Salesforce instances — and exfiltrate data.

Klue detected and contained the unauthorised activity on the morning of 12 June 2026, and moved to deactivate OAuth tokens for all customers while disabling its integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive and Slack. On 17 June 2026, Salesforce independently disabled the Klue "Battlecards" connected app, warning that unusual activity may have resulted in unauthorised access to a subset of customer data via the app's connection to Salesforce.

Impact

The downstream victims were customers who had connected Klue to their CRMs. Recorded Future said it was not specifically targeted but was an incidental victim of the compromised Salesforce-to-Klue integration, and that the impact appeared limited to business data fields stored in its Salesforce database — such as client contact names and email addresses, with certain business contract information potentially also included. Huntress likewise confirmed that some of its Salesforce data was exfiltrated. The total number of Klue customers affected was not disclosed.

Attribution

Huntress reported receiving an attempted extortion communication from a threat actor calling itself "Mr Brean," who pointed to a Session Messenger identifier associated with Icarus, an extortion group that emerged in April 2026. On the strength of those matching data points, Huntress stated it had high confidence that the Icarus actor was responsible for the Klue compromise.

Why it matters

The Klue incident underscores a recurring theme in modern breaches: the security of an organisation is bounded by the security of the SaaS apps it grants access to. A forgotten credential for a deprecated integration was enough to turn a vendor into a launch pad, and OAuth tokens — designed for convenience — became the keys that unlocked customers' CRM data. It also reflects the continued targeting of Salesforce-connected third-party apps as a high-value path to corporate data, reinforcing why organisations should inventory connected apps, scope OAuth grants tightly, and retire dormant credentials.

Timeline

June 12, 2026

Unauthorised activity in Klue's backend infrastructure is detected and contained the same morning; Klue begins notifying customers, deactivates OAuth tokens and disables its third-party integrations.

June 17, 2026

Salesforce disables the Klue 'Battlecards' connected app after detecting unusual activity that may have exposed a subset of customer data through the integration.

June 19, 2026

Huntress and Recorded Future publicly disclose that their Salesforce data was exfiltrated via the Klue compromise; Huntress attributes the attack with high confidence to the Icarus extortion group.

Sources

huntress.comhttps://www.huntress.com/blog/klue-breach-investigation

recordedfuture.comhttps://www.recordedfuture.com/blog/klue-security-incident

securityweek.comhttps://www.securityweek.com/cybersecurity-firms-impacted-by-klue-supply-chain-attack/

thehackernews.comhttps://thehackernews.com/2026/06/salesforce-disables-klue-app.html

govinfosecurity.comhttps://www.govinfosecurity.com/attackers-steal-salesforce-data-from-klue-battlecards-users-a-32011

Related incidents

Supply chainContainedJune 17, 2026

Mastra npm scope hijacked: 144 AI-framework packages backdoored (easy-day-js)

A hijacked contributor account was used to republish 144 packages in the popular @mastra AI-agent npm scope with a malicious typosquatted dependency, easy-day-js, that pulled down a cross-platform remote-access trojan and cryptocurrency stealer onto any developer machine or build system that installed them.

Victim: Mastra (@mastra npm scope)

Supply chainContainedJune 13, 2026

OptinMonster, TrustPulse and PushEngage WordPress plugins backdoored in Awesome Motive CDN supply-chain attack

Attackers stole a CDN API key from Awesome Motive and tampered with JavaScript served to the OptinMonster, TrustPulse and PushEngage WordPress plugins, silently creating rogue administrator accounts and planting backdoors on sites whose logged-in admins loaded the malicious code.

Victim: Awesome Motive (OptinMonster, TrustPulse, PushEngage)

Supply chainOngoingJune 11, 2026

'Atomic Arch' supply-chain attack hijacks 400+ Arch Linux AUR packages to deploy a credential stealer and eBPF rootkit

Sonatype researchers uncovered 'Atomic Arch,' a supply-chain campaign in which attackers adopted hundreds of orphaned Arch User Repository packages and rewrote their build scripts to install a malicious npm package that drops a Linux credential stealer with optional eBPF rootkit capabilities.

Victim: Arch User Repository (AUR)

Supply chainContainedJune 5, 2026

Miasma worm hits 73 Microsoft GitHub repositories in supply-chain attack (2026)

A self-replicating supply-chain worm dubbed Miasma compromised 73 repositories across four Microsoft GitHub organisations, planting configuration files that harvested cloud and developer credentials when the projects were opened in AI coding agents such as Claude Code and Cursor.

Victim: Microsoft (GitHub repositories)