The Klue Supply Chain Attack of June 2026

📋 Who Was Affected

The attackers used the stolen OAuth tokens to access Salesforce data belonging to hundreds of Klue's enterprise customers . The following organizations have publicly confirmed or been named as victims:

Huntress published a detailed post calling the incident a "security domino effect," noting that Icarus later listed Huntress data on its leak site .

🔑 How the Attack Unfolded

The attack chain was direct and exploited a common SaaS security blind spot: forgotten credentials. Klue had created an OAuth credential for a prototype integration that was never deployed and never removed from active systems . On June 11, the Icarus group found that credential, authenticated to Klue's backend, and pushed malicious code to Klue's integration layer. That code collected every OAuth token Klue held for customer integrations—Salesforce, HubSpot, Gong, SharePoint, Zoom, and more . With those tokens, the attackers directly queried Salesforce environments without needing any other credentials.

📊 Data Exfiltration in Detail

The attackers did not quietly siphon data. Security firm ReliaQuest observed the activity and reported that the attacker fired nearly 1,000 API queries in a single 15-minute burst and maintained sustained extraction windows exceeding six hours . The total exfiltration ran for approximately 24 hours . The attackers queried Salesforce REST API endpoints such as /services/data/v59.0/query/*, using automated Python scripts to bulk-extract records . The stolen data was limited to CRM and sales information, not internal systems or credentials of the affected organizations .

⚡ How Klue and Salesforce Responded

• Klue detected unauthorized activity on June 12 and began notifying customers on June 13. The company cut integrations and worked with affected customers to rotate tokens . Klue confirmed that attackers used a compromised legacy credential to obtain OAuth tokens and access customer Salesforce environments .
• Salesforce disabled the Klue Battlecards app across all affected customer instances at 7:22 p.m. BST on June 17, 2026, without advance warning to customers . Salesforce later urged all connected Klue customers to rotate OAuth tokens and review API audit logs for unauthorized queries .

🕵️‍💻 The Icarus Extortion Group and "mr bean" Alias

A newly tracked criminal group calling itself Icarus claimed responsibility. The group has been active since roughly April 2026 and began listing victims on its leak site in late June . Icarus contacted victims via email using the alias "mr bean" (lowercase), demanding payment in exchange for not publishing stolen Salesforce data . On June 22, Icarus began posting stolen data from Huntress and other victims on its dedicated data-leak website . The group is the first known to use this specific Klue-OAuth-to-Salesforce pipeline, marking a shift from the earlier ShinyHunters-led attacks on similar third-party Salesforce integrations . Huntress confirmed that the data Icarus posted matched the scope of what had already been reported and that the files for Huntress were limited in nature .

🔍 Why This Matters

This breach is not an isolated incident. It is the third major Salesforce OAuth supply-chain breach in less than a year, following attacks on Drift (Salesloft) and Gainsight . The pattern is consistent: attackers target the integration hub, steal OAuth tokens, and use them to access CRM environments without triggering alarms because the queries come from a trusted third-party app. The Klue breach also underscores the danger of orphaned credentials in SaaS environments—a credential created for a prototype and never decommissioned became the single point of failure for hundreds of enterprise Salesforce orgs .