On June 12, 2026, Klue identified unauthorized activity involving a compromised legacy credential linked to an integration service. Attackers used this access to steal OAuth tokens that connect Klue to third-party platforms such as Salesforce. Using these tokens, attackers accessed and exfiltrated data from multiple customer Salesforce environments. The breach was limited to third-party integrations; Klue's own platform data was not impacted. The Icarus extortion group publicly claimed responsibility and has used the stolen data to pressure victims. Klue responded by revoking credentials, removing unauthorized code, disabling integrations, and involving CrowdStrike and law enforcement. Cybersecurity firms Huntress and ReliaQuest confirmed the attackers used Python scripts to query Salesforce APIs over extended periods to steal data.

The breach resulted in unauthorized access to and theft of data from multiple customer Salesforce environments connected via Klue integrations. Stolen data includes business contacts, sales communications, pricing information, and other sensitive records. There is no evidence that Klue's own platform data or internal systems were compromised. The stolen data may be used in phishing, social engineering, and extortion campaigns against affected organizations and their contacts.

Klue has revoked the compromised credentials and OAuth tokens, removed unauthorized code, and disabled affected integrations. The company engaged cybersecurity experts (CrowdStrike) and law enforcement to investigate and respond. Affected organizations should follow Klue's guidance and monitor for phishing or extortion attempts using stolen data. Since the incident involves compromised legacy credentials, organizations should review and rotate integration credentials and tokens. Patch status is not applicable as this is a breach involving credential compromise rather than a software vulnerability.