The Klue Supply Chain Breach: How One Forgotten Credential Unlocked Salesforce Data Across Dozens…

It started with a ghost a credential that was never deactivated. Hackers breached Klue's back-end systems, a market intelligence platform used by hundreds of global companies, on June 11, 2026, via a login that was originally created for a test integration that was later abandoned. And then there was a textbook supply chain attack that radiated outwards, infecting cybersecurity firms, technology companies and sales organizations before the world knew what had happened.

What Happened

On June 12, 2026, Klue detected suspicious activity affecting a part of its integration infrastructure. The attacker then used a compromised legacy credential associated with an integration service to gain access. This was then leveraged to obtain OAuth tokens linking Klue to certain third-party platforms, including Salesforce. The attacker then accessed data within a number of connected customer environments.

OAuth tokens are digital keys that give third party applications access to platforms such as Salesforce on behalf of a user, without the need for a real password. So the attackers could bulk-collect these keys, which in essence gave them a master pass to dozens of corporate environments at once.

Security researchers spotted some anomalous behavior on June 11 in a system that connects with multiple integrations to other software platforms, which is speculated to be the point of Klue's compromise. The attackers pushed a code update that could harvest OAuth tokens used by Klue's customers to connect Klue to their own systems. The breach was due to a long unused but still live credential that Huntress said was created to prototype a third-party integration that was later abandoned, and never revoked.

Klue staff disabled the remote access, removed the token theft code from their servers, and issued a general alert to customers on June 13, which did not indicate which customers were impacted. But on June 16, emails began to appear in the inboxes of some Huntress staff with the subject line "top secret email" and a warning: "Your data has been downloaded…You have 48 hours to communicate with us."

The data theft is in line with a pattern seen in Salesforce attacks during 2025 and 2026. The attackers authenticated with a compromised Klue integration service account, generated OAuth tokens and ran automated scripts to extract bulk amounts of Salesforce records via theREST APIs. This activity lasted for around 24 hours from a "trusted" integration account without triggering the usual alarms.

Who Was Affected

Affected organizations include Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, and Insurity. The stolen data primarily consists of business contacts, sales communications, pricing information, and opportunity notes from customer Salesforce instances. There is no evidence that customer content stored directly within the Klue platform, payment card data, passwords, or internal product telemetry were impacted.

The copied data from its Salesforce account included business contacts, price quotes and other sales related data and messaging, but no threat data, passwords, payment card information or engineering data related to the Huntress agent or telemetry was affected, Huntress said. Recorded Future said it's still investigating but believes the impact was limited to business data fields stored in its Salesforce database, including client contact names and email addresses.

Huntress said the attack likely was carried out by the extortion group calling itself "Icarus," which has been active since late April 2026 and whose dark-web leak site and extortion emails contained matching Session Messenger IDs.

Potential Impact

While the stolen data did not include passwords or financial credentials in most confirmed cases, the consequences extended beyond what was directly extracted. For cybersecurity firms like Huntress and Recorded Future, customer relationship data, contacts, pricing, deal notes, could be weaponized to target their own clients in phishing campaigns — a worrying secondary risk given the sensitivity of sectors they serve.

The activity follows the same third-party OAuth-abuse playbook behind the Salesloft Drift and Gainsight compromises that rattled Salesforce ecosystems throughout 2025 and 2026, reinforcing that trusted SaaS integrations remain a high-value yet little-monitored route to reach sensitive data. Analysts assess it is highly likely that threat actors will continue targeting third-party Salesforce-connected integrations through the rest of 2026 , the OAuth-abuse playbook is repeatable, effective, and now widely adopted.

ReliaQuest urged organizations to immediately revoke and reissue everything tied to the Klue integration, including the service-account password, refresh tokens, client secrets, and active OAuth grants. Security teams were also advised to review Salesforce API activity for unusual REST API query volume and enforce IP allowlisting for third-party integration accounts.

The Klue incident is a sobering reminder that in today's enterprise environments, security is only as strong as the least-monitored integration in the stack, even those quietly forgotten years ago. All it took was a single abandoned credential left active by mistake to expose some of the world's biggest names in cybersecurity.

References:

1. The Hacker News https://thehackernews.com/2026/06/salesforce-disables-klue-app.html

2. Huntress Blog https://www.huntress.com/blog/klue-breach-investigation

3. Help Net Security https://www.helpnetsecurity.com/2026/06/19/klue-salesforce-data-breach-huntress/

4. ReliaQuest https://reliaquest.com/blog/threat-spotlight-integration-abused-in-crm-data-theft/

5. Dark Reading https://www.darkreading.com/cyberattacks-data-breaches/salesforce-data-thefts-klue-app-compromise