The following message was shared with Recorded Future customers and partners earlier today.
At Recorded Future, we’ve long believed that transparency and information sharing are among the most powerful tools in cybersecurity. They’re core to what we do — helping organizations understand threats so they can act on them. That same principle applies to us.
With that in mind, we are sharing details of a recent security incident involving Klue, a third-party marketing vendor we use, which impacted us and other organizations.
What Happened
This week, Recorded Future’s CSIRT was notified that Klue had identified unauthorized access to its environment that affected the integration layer used to connect Klue with other marketing and sales SaaS platforms. According to Klue, the unauthorized activity began on June 12, 2026, and was contained the same morning.
Our security team has since conducted its own investigation, correlating activity logs across Klue and any services that were integrated with Klue.
All available evidence suggests that Recorded Future was not specifically targeted and was instead an incidental victim by virtue of utilizing the compromised integration between Salesforce and Klue.
There is no evidence that Recorded Future’s proprietary systems, internal databases, or customer platform data have been accessed or compromised.
What We Found
On June 17, we confirmed that elements of Recorded Future’s Salesforce account were impacted via a compromised OAuth token associated with an integration between Salesforce and Klue.
While our investigation is ongoing, we believe the impact was limited to business data fields stored in our Salesforce database, such as client contact names and email addresses. Certain business contract information may also have been potentially included in the impacted data. We continue to investigate the full scope of the exposure and will update this blog as we learn more.
What We Did
Upon confirming the scope of the incident, our incident response team:
- Locked down and revoked all associated OAuth tokens connected to the Klue integration
- Engaged Salesforce directly to obtain additional logs and support
- Launched a review of all integrated Salesforce third-party applications
- Correlated known malicious IP addresses identified by Klue against our own environment logs
- Continued active monitoring of our systems for any further anomalous activity
- Communicated with Law Enforcement to respond appropriately
What This Means
The incident was limited to the third-party integration layer between Salesforce and Klue — it did not touch Recorded Future’s core platform, Intelligence Graph, or any internal infrastructure.
There is no action required on the part of Recorded Future customers at this time, except for basic cyber-hygiene and continued vigilance for any phishing activity or spam.
Further, Recorded Future has published a Note to the Platform regarding this incident to allow customers to research their potential exposure to the Klue ecosystem.
Moving Forward
The security of your information is of paramount importance to Recorded Future. We will maintain our continued, ongoing reviews of our SaaS security posture management and logging program, as well as third- and fourth-party access, to understand what improvements can be made to enhance our existing protections.
We will continue to investigate this incident, and we are committed to keeping you informed if any significant new information becomes available.
