Cyber Incident Victim: Klue
Date:
Jun 2026
Location:
—
Summary
Klue experienced a supply chain attack in which threat actors compromised its backend servers and deployed a malicious update to harvest OAuth tokens for its integrations, prompting the company to revoke those tokens and disable connections to Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive and Slack. The attackers then abused the Salesforce REST API to exfiltrate substantial CRM data, including business contacts, price quotes and sales‑related information, from affected customers such as Huntress and Recorded Future, while Salesforce subsequently disabled the Battlecards app integration after detecting unusual activity. Huntress reported receiving extortion attempts from a threat actor identified as Mr Brean, associated with the Icarus group, whose leak site displayed data allegedly taken from Salesforce, and the incident was confined to the integration with Salesforce with no breach of the victims’ internal systems.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actors | Type | Location |
|---|---|---|
| 2 actors | Available to members | Available to members |
Description
On June 11, 2026, threat actors gained unauthorized access to Klue’s backend servers and executed commands that pushed a malicious code update designed to harvest OAuth tokens from customer integrations. The compromise allowed the attackers to abuse the harvested tokens to interact with connected services, particularly the Salesforce REST API. Over a 24‑hour window they executed a high volume of queries, including a concentrated burst of nearly a thousand requests in fifteen minutes and sustained extraction periods lasting more than six hours. Klue became aware of the activity and on June 12 notified its customers, stating that it had deactivated all OAuth tokens and disabled the integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. On June 17, Salesforce responded by disabling the Klue Battlecards app integration after detecting anomalous activity that could have led to unauthorized access to a subset of customer data.
Huntress and Recorded Future confirmed they were among the organizations affected by the Klue‑Salesforce supply chain incident. Huntress reported that the data copied from its Salesforce instance included business contacts, price quotes, and sales‑related information, while emphasizing that no threat intelligence, passwords, payment card details, or engineering data were compromised. Recorded Future described the impact as limited to business data fields such as client contact names and email addresses within its Salesforce database. Both companies noted that the attackers did not infiltrate their internal networks or systems beyond the compromised Salesforce connection.
Huntress also disclosed receiving extortion messages from a threat actor identifying himself as 'Mr Brean,' who is associated with the Icarus group, and Icarus’ leak site displayed data allegedly taken from Salesforce, supporting the attribution. The tactics observed in the Klue attack resemble those used in earlier incidents involving Salesforce, Salesloft Drift, and Gainsight, which have been linked to ShinyHunters and UNC6395, although the current activity appears to involve a different threat actor. Klue has not released a public statement detailing the breach, and SecurityWeek has sought comment from the company.