Cyber Incident Victim: Jamf

On June 11‑12, 2026, attackers gained access to Klue’s systems by using compromised legacy credentials. They obtained OAuth tokens that Klue used to connect with third‑party platforms, including Salesforce, and then used those tokens to enter the Salesforce environments of several Klue customers. Among those customers was Jamf, which publicly acknowledged the impact as part of a group of at least nine organizations that disclosed the breach. Klue confirmed the breach on June 22, 2026, after investigating with CrowdStrike and law enforcement.

The intrusion was confined to the Salesforce instances of the affected companies and did not reach any data stored within the Klue platform itself. For Jamf, the attackers exfiltrated business information from its Salesforce CRM, including sales account data and contact details such as names, email addresses, job titles, phone numbers, and business addresses. Jamf stated that its own systems remained unaffected and that the breach did not involve any of its internal networks or applications. No evidence was found that customer content housed in Klue was altered or stolen.

In response, Klue revoked the compromised credentials and tokens, disabled the affected integrations across its services, and began a joint investigation with CrowdStrike and relevant authorities. Salesforce subsequently disabled the Klue integration to prevent further unauthorized access, a step that also affected Jamf’s connection to the platform. Jamf, together with the other affected firms, noted that the intrusion was limited to the Salesforce instances and did not involve their own systems, consistent with Klue’s incident notice.