Cyber Incident Victim: Insurity
Date:
Jun 2026
Location:
United States of America
Summary
A hacking group compromised Klue’s integration infrastructure using a stolen legacy credential, obtained OAuth tokens, and accessed the Salesforce environments of several Klue customers, including the insurance service provider Insurity. The attackers exfiltrated business contact information and other data, claimed responsibility under the name Icarus, and threatened to release the information unless a ransom was paid, while Klue revoked tokens, disabled affected integrations, enlisted CrowdStrike for forensics, and notified law enforcement. The affected insurance provider confirmed the data theft and warned customers to watch for phishing attempts leveraging the stolen information.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 12, 2026, Klue detected an intrusion into its integration infrastructure, specifically the Klue Battlecards app, after attackers used a compromised legacy credential to gain unauthorized access. The attackers obtained OAuth tokens from Klue’s systems and used them to impersonate Klue within connected Salesforce environments of its customers. This allowed the threat actors to exfiltrate data from the Salesforce databases of multiple Klue clients before the activity was detected and contained. Klue’s CEO Jason Smith issued an official statement on June 19 confirming the detection date and describing the attack vector. The breach was publicly claimed on June 19 by the extortion group Icarus, which set a deadline of June 22 for victims to respond before threatening to release the stolen data.
Several companies confirmed that their data had been stolen during the Klue incident, including cybersecurity firms such as Huntress, Recorded Future, Jamf, Tanium, Gong, OneTrust, Snyk and non‑cybersecurity organizations like the insurance service provider Insurity and the social media analytics platform Sprout Social. The stolen information consisted primarily of business contact details such as names, email addresses, phone numbers, job titles and some account information, with Huntress additionally noting that business names, products trialed, subscription details and marketing and sales communications may have been exposed. Jamf warned that the compromised Salesforce data could be used in phishing campaigns posing as its employees, while Recorded Future disabled the Klue integration and performed a forensic analysis. Insurity, as an affected insurer, acknowledged that its data had been taken in the attack but did not disclose further specifics about the nature or volume of the information compromised. Tanium stated that there was no impact on its ability to serve customers, and Jamf said it had found no evidence of lateral movement and had contained the incident on its own systems.
In response, Klue revoked the affected credentials and OAuth tokens, removed unauthorized code and disabled the potentially impacted integrations to prevent further access. The company notified law enforcement, launched an internal investigation and a comprehensive review of its security controls, and engaged the incident response firm CrowdStrike to conduct forensic analysis. Klue also provided regular updates to its customers and shared remediation guidance through various channels. Salesforce announced on June 17 that it had disabled the Klue Battlecards integration to stop the abuse of the stolen tokens. Huntress reported that the attackers had contacted it with a ransom note sent from an Australian company’s email address, indicating an attempt to extort payment for the non‑release of the data. The incident highlighted the risk posed by compromising middleware providers that hold privileged connections to customer cloud environments.