Klue Breach Exposes Salesforce Data, Huntress Impacted

Post Views: 10

A cybersecurity incident involving Klue, a market intelligence platform, led to the unauthorized access of customer data across multiple integrated systems, including Salesforce.

Breach Overview

The breach involved unauthorized access to customer data across multiple integrated systems, including Salesforce. Huntress, a cybersecurity provider, confirmed its involvement. The attack originated through a compromised integration credential and escalated into data exfiltration via malicious code deployed on Klue’s infrastructure.

Attack Timeline

The breach timeline began on June 11 when attackers exploited a dormant API credential tied to an abandoned third-party integration prototype. This allowed them to deploy malicious code designed to harvest OAuth tokens used by Klue customers to connect to services such as Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.

Huntress Involvement

Klue detected the unauthorized activity and removed the malicious code from its servers on June 13, issuing a general alert to customers without specifying which accounts were affected. However, on June 16, some Huntress employees received emails with the subject line “top secret,” containing extortion demands.

Attackers Identified

Huntress identified the attackers as the Icarus group, an extortion collective active since late April 2026, based on matching Session Messenger IDs from the emails and the group’s dark-web leak site.

Data Compromised

The stolen data included business contacts, price quotes, and sales-related messaging, though Huntress confirmed that sensitive information such as threat data, passwords, payment card details, and engineering data remained unaffected. The company emphasized that its products and infrastructure were not compromised.

Salesforce Response

Salesforce responded by disabling the Klue Battlecards app, which allowed third-party connections to its platform, following detection of anomalous activity. This action prevented further access until additional security measures were implemented.

Company Actions

Klue’s CEO, Jason Smith, stated that the company had revoked compromised credentials, removed unauthorized code, and suspended affected integrations. An investigation was initiated, and law enforcement was notified.

Klue’s statement indicated that the breach was confined to third-party platforms, with no evidence of customer content stored within its own systems being accessed. The company plans to enhance security controls, credential management, monitoring, and deployment processes.

Broader Implications

This incident aligns with a broader trend of attackers targeting trusted third-party integrations rather than directly attacking core platforms. In 2025, similar OAuth abuse campaigns affected other Salesforce-connected services, including Drift and Gainsight.

Technical Details

Technical details from the breach include the use of dormant credentials, malicious code for token harvesting, and the exploitation of OAuth-based authentication. Huntress has shared indicators of compromise to aid affected organizations in mitigating risks.