Cybersecurity vendor Huntress was among multiple companies hit by a breach originating at Klue, a market intelligence platform used to integrate CRM and sales data across various business tools.
Huntress published a detailed account of the incident on June 18, framing it as a “security domino effect” that began with one compromised integration credential and cascaded into theft of customer data across several connected platforms, including Salesforce.
Attack timeline
According to Huntress’s writeup, the attackers first gained access to Klue’s backend infrastructure on June 11 using a long-dormant API credential originally created for an abandoned third-party integration prototype.
From there, they pushed a malicious code update designed to harvest OAuth tokens that Klue’s customers used to connect the platform to services including Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.
Those stolen tokens were then used to query customer CRM systems directly and exfiltrate data.
“Klue staff disabled the remote access and removed the token-theft code from their servers, and issued a general alert to customers on June 13, which did not indicate which customers were impacted,” Huntress stated.
“But on June 16, emails began to appear in the inboxes of some Huntress staff with the subject line ‘top secret email’ and a warning: ‘Your data has been downloaded…You have 48 hours to communicate with us.’”
Extortion email received by Huntress (Source: Huntress)
Huntress is, so far, the only company that has publicly confirmed it was impacted.
It attributes the attack to the extortion group calling itself “Icarus,” active since late April 2026, based on matching Session Messenger IDs found both in the extortion emails and on the group’s dark-web leak site.
Huntress said the attackers made off with business contacts, price quotes, and other sales-related data and messaging, but not threat data, passwords, payment card information, or engineering data relating to the Huntress agent or telemetry. It also stressed that its products and infrastructure haven’t been affected.
The company has shared indicators of compromise and recommended other Klue customers review logs, request access records from affected vendors, and consider revoking active sessions tied to the compromised integrations.
Salesforce cuts off Klue app
On Wednesday, Salesforce announced it had “disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce”, after detecting unusual activity involving the app.
“As a result, organizations will not be able to connect to Salesforce via this app until further notice,” the company said.
On Thursday, Klue CEO Jason Smith said that since identifying unauthorized activity, they have revoked affected credentials and tokens, removed the unauthorized code pushed by the attackers, disabed potentially impacted integrations, and started an investigation.
Law enforcement has been notified, he confirmed, and affected customers have been contacted and provided with information that should help with their own incident response.
“Based on our investigation to date, the incident was limited to the affected third-party platforms, and there is no evidence that customer content stored within the Klue platform was impacted,” he added, and said that they are planning to further strengthen their security controls, credential management practices, monitoring capabilities, and deployment processes.
The breach is part of a broader pattern of attackers targeting trusted third-party integrations rather than Salesforce itself: throughout 2025, a string of OAuth-abuse campaigns have hit other Salesforce-connected SaaS integrations, namely Drift and Gainsight.
Subscribe to our breaking news e-mail alert to never miss out on the latest breaches, vulnerabilities and cybersecurity threats. Subscribe here!
