Klue Breach Exposes Salesforce Data Across Cybersecurity Vendors as Icarus Claims Attack

A breach at Klue has turned a market intelligence platform into the latest pressure point in a widening wave of SaaS supply chain attacks, after hackers used a compromised legacy credential to access customer-connected cloud environments and steal data from some of the cybersecurity industry’s most recognizable names.

The Vancouver-based company, which provides competitive intelligence and market research tools, disclosed that attackers accessed its systems in June and obtained data from an undisclosed number of customers. The cybercrime group Icarus has claimed responsibility for the attack and threatened to leak the stolen information if a ransom is not paid.

The incident has already pulled in a growing list of affected companies, including Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, Tanium, and Huntress. Several of those companies have said the stolen records primarily included business contact information, such as names, email addresses, phone numbers, job titles, and account-related details.

But the Klue breach is more than another vendor compromise. It is a case study in how attackers are increasingly targeting the connective tissue of enterprise software: OAuth tokens, SaaS integrations, legacy credentials, and third-party apps that sit between companies and their most valuable customer data.

According to Klue, the attackers gained access through a compromised legacy credential associated with an integration service. That access allowed them to obtain tokens used to connect Klue with customer environments, including Salesforce. Once inside those connected systems, the attackers were able to pull data from customer cloud applications.

Salesforce data has become an especially attractive target because many organizations use the platform as a central repository for customer, prospect, sales, and account records. In practice, breaching an integration tied to Salesforce can give hackers a shortcut into highly structured business data without having to break into each victim company directly.

Klue said it brought in CrowdStrike to support its investigation and disconnected integrations to prevent further access. The company has not publicly said how many customers were affected, how the credential was compromised, or whether it has received a ransom demand from Icarus.

Huntress, one of the cybersecurity companies affected, said in its own incident write-up that it received a ransom note through an Australian company’s email infrastructure, which may have been abused by the attackers. Huntress also said the Klue compromise involved backend systems tied to software integrations and that attackers were able to collect OAuth tokens used by Klue customers.

The breach follows a now-familiar pattern. Rather than attacking hundreds of companies individually, cybercriminals are compromising a vendor that already has trusted access into those companies’ data. Similar campaigns have targeted middleware, SaaS, and integration providers such as Salesloft and Gainsight, while earlier mass data theft incidents involving cloud platforms have shown how stolen credentials can become the fastest path into enterprise environments.

Refael Angel, CTO of Akeyless, said the Klue breach shows why long-lived credentials and non-human access have become a critical security problem.

"The Klue breach is a reminder that attackers increasingly don't target the organization they want to reach. They target a trusted vendor or integration that already has access. In this case, the issue wasn't a sophisticated exploit. It was a forgotten credential and long-lived tokens that remained valid long after they should have been retired.We're seeing the same pattern across supply-chain attacks. Once an attacker obtains a standing credential, the credential itself becomes the attack vector. That's why organizations need to focus on reducing standing access and eliminating long-lived credentials wherever possible. A credential that doesn't exist can't be stolen, and one that expires in minutes is far less useful to an attacker than one that remains active for months.

As SaaS applications, automated workflows, and AI agents proliferate, managing non-human identities is becoming one of cybersecurity's most important challenges."

The Klue incident also raises uncomfortable questions for security teams that rely on traditional third-party risk management programs. Many of the affected companies are themselves sophisticated cybersecurity vendors. That makes the breach harder to dismiss as a failure of basic diligence.

Justin Beals, CEO and founder of Strike Graph, an AI-native GRC and compliance automation platform, said the attack exposes a deeper weakness in how companies evaluate vendor risk.

"Cybersecurity vendors getting breached through a shared SaaS dependency is the clearest possible signal that the questionnaire model of third-party risk is broken. These are companies that build security for a living. They did their due diligence. It didn't matter, because due diligence in TPRM today is still mostly measuring what vendors say about themselves, not what their controls actually do. Traditional TPRM tools have true positive detection rates below 30%. That's not a risk management program. That's a paper trail. The Klue incident is going to keep expanding because the underlying failure, trusting attestations over verified evidence, is industry-wide. Until organizations move from point-in-time assessments to continuous, evidence-validated controls across their vendor ecosystem, the blast radius of the next shared dependency breach is going to be just as wide."

The timing is also notable. Klue said last year it planned to lay off roughly half its staff as it shifted more heavily toward artificial intelligence investments. There is no public evidence that the layoffs contributed to the breach, and the company has not said whether staffing changes affected its security posture. Klue’s executive leadership page does not currently list a named cybersecurity executive.

For customers, the immediate priority is containment. Organizations that integrated Klue with Salesforce or other cloud applications should review token activity, rotate credentials, inspect recent API calls, and look for unusual data exports. Security teams should also assess whether other SaaS integrations have standing access that is broader or longer-lived than necessary.

The larger lesson is that SaaS trust is now part of the attack surface. OAuth tokens, service accounts, API keys, and integration credentials often operate quietly in the background, sometimes for years. When those credentials are not regularly reviewed, scoped, rotated, or expired, they can become durable access paths for attackers.

The Klue breach shows how quickly that risk can cascade. A single compromised vendor credential can become a multi-company data breach. A single integration can become a path into Salesforce. And a single overlooked token can expose the limits of how enterprises currently manage the software supply chain they depend on every day.