BeyondTrust, LastPass Impacted by Klue-Salesforce Incident
A threat actor named Icarus exploited a compromised legacy credential to access Klue's systems and generate OAuth tokens, which were then used to breach connected Salesforce instances of Klue customers. Over a dozen organizations, including BeyondTrust and LastPass, confirmed data theft involving business contact and CRM data. The attackers accessed only data available through the Klue integration with Salesforce; no internal systems of the affected companies were compromised. Salesforce and Gong disabled the Klue integration in response. LastPass confirmed that customer vaults and internal infrastructure were not impacted. The incident is limited to data accessible via the Klue-Salesforce integration.
AI Analysis
Technical Summary
The Klue-Salesforce incident involved unauthorized access to multiple customers' Salesforce instances through a compromised legacy credential at Klue. The attacker, self-identified as Icarus, used this access to generate OAuth tokens and exfiltrate business contact and CRM data in bulk via automated scripts. The breach affected over a dozen organizations, including cybersecurity firms BeyondTrust and LastPass. The attack vector was limited to the Klue integration with Salesforce, with no evidence of compromise to internal systems or LastPass customer vaults. Salesforce and Gong responded by disabling the Klue integration. The threat actor publicly listed some victims on a Tor-based leak site before it went offline. The incident highlights risks associated with third-party integrations and legacy credential management.
Potential Impact
The impact is limited to unauthorized access and exfiltration of business contact information and CRM data from Salesforce instances integrated with Klue. No internal systems or core infrastructure of affected companies were compromised. LastPass customer vaults remain secure. The stolen data includes customer names, phone numbers, email addresses, physical addresses, support case data, and sales-related information. The breach affects the confidentiality of business and customer relationship data but does not indicate compromise of sensitive internal systems or user credentials beyond the Klue integration.
Mitigation Recommendations
Salesforce and Gong have disabled the Klue integration to prevent further unauthorized access. Affected organizations, including LastPass, have discontinued Klue access, rotated exposed OAuth tokens, notified law enforcement, and initiated investigations with Klue and Salesforce. There is no indication that internal systems require remediation. Organizations using Klue integrations should verify token rotations and monitor for unauthorized access. Patch status is not applicable as this is an incident involving compromised credentials and third-party integration abuse rather than a software vulnerability. Check vendor advisories for updates on remediation and mitigation.
BeyondTrust, LastPass Impacted by Klue-Salesforce Incident
Description
A threat actor named Icarus exploited a compromised legacy credential to access Klue's systems and generate OAuth tokens, which were then used to breach connected Salesforce instances of Klue customers. Over a dozen organizations, including BeyondTrust and LastPass, confirmed data theft involving business contact and CRM data. The attackers accessed only data available through the Klue integration with Salesforce; no internal systems of the affected companies were compromised. Salesforce and Gong disabled the Klue integration in response. LastPass confirmed that customer vaults and internal infrastructure were not impacted. The incident is limited to data accessible via the Klue-Salesforce integration.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The Klue-Salesforce incident involved unauthorized access to multiple customers' Salesforce instances through a compromised legacy credential at Klue. The attacker, self-identified as Icarus, used this access to generate OAuth tokens and exfiltrate business contact and CRM data in bulk via automated scripts. The breach affected over a dozen organizations, including cybersecurity firms BeyondTrust and LastPass. The attack vector was limited to the Klue integration with Salesforce, with no evidence of compromise to internal systems or LastPass customer vaults. Salesforce and Gong responded by disabling the Klue integration. The threat actor publicly listed some victims on a Tor-based leak site before it went offline. The incident highlights risks associated with third-party integrations and legacy credential management.
Potential Impact
The impact is limited to unauthorized access and exfiltration of business contact information and CRM data from Salesforce instances integrated with Klue. No internal systems or core infrastructure of affected companies were compromised. LastPass customer vaults remain secure. The stolen data includes customer names, phone numbers, email addresses, physical addresses, support case data, and sales-related information. The breach affects the confidentiality of business and customer relationship data but does not indicate compromise of sensitive internal systems or user credentials beyond the Klue integration.
Mitigation Recommendations
Salesforce and Gong have disabled the Klue integration to prevent further unauthorized access. Affected organizations, including LastPass, have discontinued Klue access, rotated exposed OAuth tokens, notified law enforcement, and initiated investigations with Klue and Salesforce. There is no indication that internal systems require remediation. Organizations using Klue integrations should verify token rotations and monitor for unauthorized access. Patch status is not applicable as this is an incident involving compromised credentials and third-party integration abuse rather than a software vulnerability. Check vendor advisories for updates on remediation and mitigation.
Technical Details
- Article Source
- {"url":"https://www.securityweek.com/beyondtrust-lastpass-impacted-by-klue-salesforce-incident/","fetched":true,"fetchedAt":"2026-06-24T10:09:16.207Z","wordCount":1103}
Threat ID: 6a3baccceed863c81ea96f72
Added to database: 06/24/2026, 10:09:16 UTC
Last enriched: 06/24/2026, 10:09:34 UTC
Last updated: 06/24/2026, 14:08:22 UTC
Views: 23
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.