Cyber Incident Victim: Tanium

On June 11‑12, 2026, attackers gained access to the market intelligence platform Klue by using compromised legacy credentials. Once inside, they obtained OAuth tokens that Klue used to connect with third‑party platforms, including Salesforce, and used those tokens to access data within the Salesforce environments of a number of Klue customers. Klue confirmed the breach on June 22, stating that the intruders had accessed only the integrated third‑party platforms and that there was no evidence that customer content stored within the Klue platform itself was affected.

Among the affected customers, at least nine organizations publicly acknowledged the impact, including the cybersecurity firm Tanium. Tanium, like the other disclosed firms, reported that the intrusion was limited to its Salesforce instance and did not involve its internal systems. The attackers exfiltrated business information from the Salesforce CRM, such as sales account data and contact details including names, email addresses, job titles, phone numbers, and business addresses. Tanium noted that the stolen data consisted solely of this Salesforce‑resident information and that no other Tanium systems were compromised.

In response, Klue revoked the compromised credentials and tokens, disabled the affected Salesforce and other integrations, and launched an investigation together with CrowdStrike and law‑enforcement agencies. Salesforce subsequently disabled the Klue integration across its platform, and the revenue intelligence company Gong also disabled its Klue integration after noting that the attackers had used the connection to access internal licensed user data. The threat actor known as Icarus claimed responsibility for the attack, added Klue to a Tor‑based leak site, and threatened to publish the stolen data unless Klue and the affected organizations entered negotiations.