Cyber Incident Victim: Recorded Future
Date:
Jun 2026
Location:
United States of America
Summary
Hackers compromised Klue’s backend servers and pushed a malicious update that harvested OAuth tokens from its integrations, prompting Klue to deactivate those tokens and disable connections with platforms such as Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive and Slack. The attackers then used the Salesforce REST API to extract large volumes of CRM data, including business contacts, price quotes and sales‑related information from the accounts of Huntress and Recorded Future, while no threat data, passwords, payment card details or engineering files were accessed. Salesforce subsequently disabled the Klue Battlecards app after detecting unusual activity, and Huntress reported extortion attempts from a threat actor linked to the Icarus group, whose leak site displayed data allegedly taken from Salesforce. The breach was confined to the Klue‑Salesforce link, with no intrusion into the internal networks of the affected firms, and resembles earlier supply‑chain incidents though it appears to involve a new threat actor.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 0 motives | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On June 11, 2026, attackers compromised the backend servers of the market intelligence platform Klue and executed unauthorized commands that pushed a malicious code update designed to harvest OAuth tokens from customers’ integrations. Klue became aware of the breach and notified its customers on June 12, informing them that it had deactivated all OAuth tokens and disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. The notification warned that the compromise was limited to the Klue‑Salesforce integration and that no internal Huntress or Recorded Future systems were accessed directly. Huntress and Recorded Future later confirmed they were among the affected customers.
According to analysis by ReliaQuest, the attackers abused the Salesforce REST API to exfiltrate large volumes of CRM data over a 24‑hour window, including a concentrated burst of nearly a thousand queries in 15 minutes and sustained extraction periods lasting more than six hours. Huntress reported that the data copied from its Salesforce instance consisted of business contacts, price quotes, and sales‑related information, and explicitly stated that no threat data, passwords, payment card details, or engineering data were compromised. Recorded Future described the impact as limited to business data fields in its Salesforce database, specifically client contact names and email addresses. Both firms emphasized that the attackers did not gain access to their internal networks or proprietary threat intelligence.
On June 17, Salesforce disabled the Klue Battlecards app integration after warning that it detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app’s connection to Salesforce. Huntress disclosed receiving extortion attempts from a threat actor identifying himself as “Mr Brean,” who is linked to the Icarus group, and noted that Icarus’ leak site displayed data allegedly stolen from Salesforce to support the claim. The incident follows patterns observed in earlier Salesforce, Salesloft Drift, and Gainsight breaches attributed to ShinyHunters and UNC6395, although the current activity appears to involve a new threat actor. Klue has not released a public statement detailing the breach, and SecurityWeek has requested further comment from the company.