Cyber Incident Victim: OneTrust
Date:
Jun 2026
Location:
United States of America
Summary
Attackers gained access to the market intelligence platform Klue by using compromised legacy credentials, which allowed them to obtain OAuth tokens for Klue’s integration with Salesforce and other third‑party services. Using those tokens they entered the Salesforce environments of several Klue customers, including OneTrust, and exfiltrated business information such as sales account data, names, email addresses, job titles, phone numbers and addresses. Klue revoked the exposed credentials and tokens, disabled the affected integrations and worked with CrowdStrike and law enforcement to investigate the breach. Salesforce subsequently disabled the Klue integration, and other platforms like Gong took similar precautions. A threat actor identifying as Icarus claimed responsibility, posted the stolen data on a leak site and threatened to release it unless negotiations occurred.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 11‑12, 2026, market intelligence platform Klue disclosed that attackers had gained access to its systems using compromised legacy credentials. The intruders used that access to compromise Klue’s Salesforce integration and to obtain OAuth tokens that connected Klue with third‑party platforms. With those tokens the attackers entered the Salesforce instances of a number of Klue customers and exfiltrated data stored there. Klue responded by revoking the affected credentials and tokens, disabling the integrations across multiple services, and launching an investigation together with CrowdStrike and law‑enforcement agencies.
The company stated that, based on its investigation to date, the incident was limited to the affected third‑party platforms and that there was no evidence that customer content stored within the Klue platform itself had been impacted. At least nine Klue customers publicly acknowledged the impact, naming HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Tanium, Insurity and Sprout Social as affected organizations. Each of those companies confirmed that the intrusion was confined to their Salesforce instances and did not extend to their internal systems, and that the stolen data consisted of sales account information and business contact details such as names, email addresses, job titles, phone numbers and business addresses. Revenue intelligence platform Gong also disclosed that its own Klue integration had been exploited, noting that the attackers accessed internal licensed user data including user names, business titles and email addresses, while emphasizing that call recordings and customer transcripts were not affected.
In response to the breach, Salesforce disabled the Klue integration in its environment, and Gong subsequently disabled the same integration as a precautionary measure. Huntress suggested that a threat actor tracked as Icarus might have been responsible for the attack, and Icarus later added Klue to its Tor‑based leak site, claiming responsibility and threatening to publish the stolen information unless Klue and the affected organizations entered negotiations. According to the actor’s posts, the data would be released on June 22, 2026, if no negotiations took place. As of the latest public statements, Klue continued to work with investigators and had not reported any further compromise of its core platform or of customer data beyond the Salesforce‑related exfiltration.