Cyber Incident Victim: Sprout Social
Date:
Jun 2026
Location:
United States of America
Summary
The breach of Klue’s infrastructure allowed an unauthorized actor to obtain OAuth tokens through a compromised legacy credential and use them to access connected Salesforce environments, including that of the social media analytics platform Sprout Social. The attacker impersonated Klue within those systems, exfiltrating customer data before the activity was detected and contained. Klue revoked the affected credentials and tokens, removed unauthorized code, disabled impacted integrations, notified law enforcement and engaged a forensic firm to investigate. Affected clients, among them several cybersecurity firms and other businesses, were informed of the incident and advised to monitor for potential misuse of the exposed information, such as phishing attempts leveraging the stolen data. The incident was claimed by an extortion group that set a deadline for victims to respond before threatening to release the data.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 12, 2026, Klue detected an intrusion into its integration infrastructure after an unauthorized actor gained access through a compromised legacy credential to the Klue Battlecards app. The attacker used this foothold to obtain OAuth tokens and connect Klue to third‑party platforms, including Salesforce, then impersonated Klue within those environments to exfiltrate customer data before the activity was detected and contained. Klue’s CEO Jason Smith announced the breach on June 19, stating that the company immediately revoked the affected credentials and tokens, removed unauthorized code, and disabled potentially impacted integrations. Klue also notified law enforcement, launched an internal investigation and a comprehensive review of its security controls, and engaged CrowdStrike to assist with forensic analysis. Throughout the incident, Klue provided regular updates to its customers and shared remediation guidance via multiple channels. On June 17, Salesforce publicly announced that it had disabled the Klue Battlecards integration to prevent further misuse.
Huntress, Recorded Future, Jamf and Tanium confirmed that the breach originated through Klue’s infrastructure and that their own products and services remained unaffected, though Huntress warned that customer data such as business names, trial or used products, subscription details, contact information and marketing communications may have been compromised. Jamf cautioned customers about possible phishing campaigns using the stolen Salesforce data and advised vigilance against actors posing as Jamf employees, while Recorded Future disabled the Klue integration and performed a forensic analysis, stressing the need for continuous monitoring of third‑party integrations with privileged access. Non‑cybersecurity firms were also impacted, with the insurance provider Insurity and the social‑media analytics platform Sprout Social listed among the affected Klue customers. The breach was claimed on June 19 by the extortion group Icarus, which posted a deadline on June 20 giving Klue clients until June 22 to respond before threatening to release their data. Icarus had only three victims listed on its leak site at the time, according to Ransomware.live.