How the Klue Supply Chain Attack Impacted Cybersecurity Firms

A supply chain attack targeting the market intelligence platform Klue has compromised multiple cybersecurity organizations, including Huntress and Recorded Future.

Overview of the Breach

A supply chain attack targeting the market intelligence platform Klue has compromised multiple cybersecurity organizations, including Huntress and Recorded Future. The breach, which began on June 11, involved unauthorized access to Klue’s backend systems, enabling attackers to deploy malicious code designed to extract OAuth tokens from customer integrations. This allowed the threat actors to gain access to sensitive data through third-party platforms.

Klue’s Response and Impact

Klue informed its users on June 12 that it had revoked all OAuth tokens and suspended integrations with key services such as Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. The incident triggered a series of actions by affected organizations, including data exfiltration via the Salesforce REST API. ReliaQuest reported that attackers transmitted substantial volumes of customer relationship management (CRM) data over a 24-hour period, including a spike of nearly 1,000 queries within 15 minutes and prolonged data extraction windows lasting more than six hours.

Impact on Cybersecurity Firms

On June 17, Salesforce took further steps by disabling the Klue Battlecards app integration, citing unusual activity that may have led to unauthorized access to a subset of customer data through the app’s connection to its platform. Huntress and Recorded Future confirmed their involvement in the breach, detailing the scope of the compromise. Huntress stated that the stolen data included business contacts, pricing quotes, and sales-related communications, though no threat intelligence, passwords, payment card details, or engineering data from its security tools were impacted. Recorded Future noted that the breach likely affected business data fields such as client contact information and certain contract details, but no critical infrastructure or internal systems were accessed.

Targeted Integrations and Adversaries

The attack specifically targeted the Klue-Salesforce integration, with no evidence of direct access to the cybersecurity firms’ internal networks. Huntress highlighted that other security companies use Klue, but no additional organizations have publicly reported impacts. The incident aligns with patterns seen in prior breaches involving Salesforce, Salesloft, Drift, and Gainsight, which have been linked to threat groups such as ShinyHunters and UNC6395. However, this attack appears to involve a new adversary.

Extortion and Attribution

Huntress reported receiving extortion demands from a group identifying as “Mr Brean,” which referenced a Session Messenger ID tied to Icarus, an extortion group that emerged in April 2026. Icarus’ leak site previously published data from a May 2026 breach and a June 16 leak attributed to Salesforce. Huntress concluded that Icarus is likely responsible for the Klue compromise based on overlapping data points.

Ongoing Investigation and Transparency

Despite sharing details with customers, Klue has not issued a public statement. SecurityWeek has sought clarification from the company and will update this report if additional information becomes available.

About Author

Anuj

See author's posts