The Klue-Salesforce supply chain compromise, which surfaced on June 11–12, 2026, has surpassed two dozen confirmed victims and taken an unprecedented turn for the digital criminal economy: the extortion group Icarus, which claimed the attack, appears to have been breached itself. According to communications Klue reportedly sent to customers, the stolen data has fallen into the hands of a second threat actor now running an independent extortion campaign. The episode exposes the structural fragility of the "pay and delete" model, where the currency—stolen data—is no longer controlled by a single holder.
- Roughly two dozen companies have confirmed compromise of their Salesforce instances, including AlertMedia, Blackbaud, Camunda, Cresta, Deel, Lucanet, Link11, and Tines
- Initial access occurred via compromised legacy credentials tied to an integration service, per Klue CEO Jason Smith’s reconstruction
- Huntress tracked approximately 900 Salesforce API queries with a Python User-Agent, confirming the OAuth token theft and subsequent bulk exfiltration mechanism
- Klue reportedly informed customers that Icarus was hacked and that the stolen data now fuels a second extortion campaign by an unidentified actor
The Attack Chain: From Legacy Credential to Mass Exfiltration
On June 11–12, 2026, an actor gained access to the Klue platform by exploiting compromised legacy credentials tied to an integration service. A statement from CEO Jason Smith, reported by BleepingComputer, specifies that the attacker used this access to acquire OAuth tokens used to connect Klue with third-party platforms, including Salesforce, and subsequently extracted data from numerous connected customer environments.
Evidence gathered by Huntress confirms the reconstruction. Researchers observed approximately 900 queries directed at the Salesforce API endpoint /services/data/v59.0/query/, all originating from a Python User-Agent. The pattern indicates automated, large-scale extraction, not sporadic or single-record access. The attacker’s infrastructure was traced to IP addresses in the Netherlands, France, and Ukraine, while extortion emails were routed through compromised mail servers of an Australian retail network.
Salesforce disabled the Klue integration on June 17, 2026. As of June 26, the integration had not been re-enabled. Gong also disabled the Klue connector. The measure, while containment-oriented, does not recover already exfiltrated data.
Victim Spread: From Nine to ~24 Confirmations in Four Days
The victim map expanded rapidly. Initial confirmations, documented by BleepingComputer and MLQ.ai by June 22, included HackerOne, Huntress, Jamf, Recorded Future, Snyk, OneTrust, Tanium, Sprout Social, Gong, and Insurity. By June 26, SecurityWeek added eight more companies: AlertMedia, Blackbaud, Camunda, Cresta, Deel, Lucanet, Link11, and Tines.
Sprout Social published a direct advisory confirming unauthorized access to its Salesforce data over the weekend of June 11–12, specifying the affected categories: business contact details, organizational and account information, and CRM sales records. The company explicitly stated that product or platform data was not involved. HackerOne, in a statement cited by MLQ.ai, clarified that "no customer vulnerability data is permitted in our CRM systems," scoping the specific risk to its business.
SecurityWeek reports a figure not specified by other sources: the incident allegedly involved 195 Klue customers, though the second extortion group reportedly stole only "sample data" from Icarus. This figure lacks independent confirmation in the dossier and remains attributed to unspecified reports.
"Klue reportedly told customers that Icarus themselves were hacked, and that the stolen data is now in the hands of another threat actor, which is running its own extortion campaign." — SecurityWeek, citing TechCrunch
The Criminal Economy Eats Its Own: Icarus Compromised
The structural break is the alleged compromise of Icarus itself. The group, active on the extortion scene with a leak site that had been unreachable for roughly two days as of June 26, was reportedly breached with consequent dispersal of the stolen data. SecurityWeek attributes the information to TechCrunch: Klue reportedly informed its customer base directly of the circumstance.
The mechanism introduces a new variable into victim calculations. The implicit premise of ransom payment—that data is deleted by the attacker—dissolves when the material changes hands without the payer being able to verify destruction. No extortion group other than Icarus has publicly claimed possession of the Klue data at the time of reporting, which does not rule out private circulation or sale on secondary markets.
Icarus’s site remains offline. The cause—negotiation, takedown, or technical malfunction—is not determined by the dossier. The source does not specify whether Klue paid a ransom to Icarus or the second actor, nor whether law enforcement is investigating the compromise of the criminal group.
Why It Matters
The dossier does not document specific remedial measures taken by Klue beyond engaging CrowdStrike for forensic analysis, already confirmed by BleepingComputer and MLQ.ai. The source does not specify the full nature of data exfiltrated by the second actor, nor does it provide technical indicators of compromise usable for active network hunting.
The absence of a security advisory published directly by Klue or a primary security vendor (CrowdStrike has not released a public report at the time of the dossier) leaves operational questions unresolved: the mechanism of malicious code injection into the Klue platform, the exact duration of persistence, potential compromise of integrations beyond Salesforce and Gong, and the completeness of exposed token revocation.
The most significant limitation for organizations that adopted Klue is the inability to independently verify the claim of double compromise. The source reports Klue’s communication as "reportedly told customers," maintaining a margin of uncertainty that victims must navigate in their own incident response calculations.
Frequently Asked Questions
What is the difference between the ~24 confirmed and the 195 alleged?
Roughly two dozen companies have publicly confirmed or via direct communication the compromise of their Salesforce instances. The figure of 195, relating to the entire Klue customer base potentially involved, comes from unspecified reports and lacks independent confirmation in the dossier.
Has the second actor publicly claimed the data?
No. As of June 26, 2026, no extortion group other than Icarus has publicly claimed possession of the Klue data. The claim is limited to Klue’s internal communication to its customers.
Is the Salesforce integration safe?
Salesforce disabled the Klue connector on June 17 and had not re-enabled it as of June 26. The source does not specify technical conditions or timelines for future re-enablement.
Information is based on cited sources and current as of publication.
Sources
- https://www.securityweek.com/more-klue-breach-victims-identified-as-hackers-get-hacked/
- https://cyberscoop.com/cisco-sd-wan-zero-day-exploit-communications-provider/
- https://oodaloop.com/briefs/cyber/more-klue-breach-victims-identified-as-hackers-get-hacked/
- https://mlq.ai/news/klue-supply-chain-breach-exposes-salesforce-data-at-hackerone-huntress-and-seven-other-firms/
- https://www.bleepingcomputer.com/news/security/klue-oauth-breach-victim-list-grows-as-icarus-hackers-claim-attack/
- https://techcrunch.com/2026/06/17/cybercriminals-allegedly-hacked-tens-of-thousands-of-fortinet-firewalls-used-by-major-companies-all-over-the-world/
- https://techcrunch.com/2026/05/05/hackers-steal-students-data-during-breach-at-education-tech-giant-instructure/
- https://nvd.nist.gov/vuln/detail/CVE-2026-20127
- https://www.cve.org/CVERecord?id=CVE-2026-20182
- https://nvd.nist.gov/vuln/detail/CVE-2026-20245
- https://support.sproutsocial.com/hc/en-us/articles/46754555170701-Klue-Security-Incident-June-2026