Klue Breach Victims Identified as Hackers Hacked

Approximately two dozen Klue customers have confirmed that their Salesforce environments were infiltrated during a supply chain attack in early June.

Klue Breach Overview

The breach occurred between June 11 and 12, when adversaries exploited compromised legacy credentials to access the market intelligence platform Klue. This allowed attackers to acquire OAuth tokens associated with customer Klue integrations, enabling the bulk exfiltration of data.

Supply Chain Attack Details

Salesforce suspended the Klue integration on June 17, and its status page indicates the feature remains disabled. A separate integration managed by Gong was also deactivated. The affected organizations include AlertMedia, Blackbaud (access restricted), Camunda, Cresta, Deel, Lucanet, Link11, and Tines.

Scope of the Breach

Klue serves hundreds of clients, and the potential scope of the breach may extend beyond the confirmed victims. However, no additional reports of the incident have been publicly disclosed. Some customers, such as Autodesk, may not utilize the Salesforce integration with Klue and thus were unaffected.

Threat Actor and Ransom Demands

The attack was attributed to a threat actor known as Icarus, which uploaded Klue and several of its clients to a Tor-hosted leak site. The group threatened to release stolen data—primarily business contact and support information—unless a ransom was paid. Klue acknowledged the breach on Monday, stating it was investigating the incident but has not released detailed findings.

Compromised Data and New Threats

Additionally, Klue reportedly informed customers that Icarus itself was compromised, and the stolen data is now held by a different threat actor conducting an independent extortion campaign. The incident is alleged to impact 195 Klue customers, though the second group is said to have obtained only sample data from Icarus.

Related Incidents and Other News

SecurityWeek contacted Klue for a statement and will update this report if a response is received. Related incidents include a data breach at a Canadian electricity provider, a breach at Xsolis affecting 1.4 million individuals, and a breach at Texas Parks & Wildlife impacting 3 million people. Kodak admitted to a data breach following claims by the ShinyHunters group.

Funding and Technical Updates

Funding updates include Runlayer’s $30 million Series A raise and Nebulock’s $25 million investment for AI-driven security solutions. Technical vulnerabilities and threats remain prominent, with patches released for GitLab code execution and information disclosure flaws, a 25-year-old Curl vulnerability, and critical Ubiquiti flaws.

New Threats and Vulnerabilities

New ransomware families are leveraging a malware variant known as Mistic RAT, while exploitable CI/CD vulnerabilities continue to expose repositories to hijacking. Recent developments also highlight a flaw in Amazon Q enabling cloud credential theft via malicious repositories.

Additional Coverage and Industry Trends

Additional coverage includes a Chinese AI-related incident, a Tata Electronics breach, and Snyk layoffs. The Linux Foundation launched a new open source security project called Akrites, while a $3 million theft was reported in a Polymarket hack. Russian APT groups deployed the StockStay backdoor against Ukrainian targets, and a PTC Windchill vulnerability was exploited in the wild.

Emerging Security Challenges

New enterprise security challenges emerged with the release of the MCP specification, and AI-driven development practices were analyzed for governance needs. SecurityWeek’s Daily Briefing Newsletter offers insights into emerging threats and expert perspectives.

About Author

Anuj

See author's posts