Between June 11 and 12, 2026, attackers exploited compromised legacy credentials to access Klue, a market intelligence platform, and obtained OAuth tokens for customers' Klue-Salesforce integrations. This allowed bulk data exfiltration affecting approximately 195 Klue customers, including notable companies such as AlertMedia, Blackbaud, and Deel. Salesforce disabled the Klue integration on June 17, and it remains disabled. The threat actor Icarus claimed responsibility and posted stolen data on a Tor-based leak site, demanding ransom. Klue engaged with Icarus, who began deleting stolen data, but was later hacked by another threat actor who initiated a separate extortion campaign using sample data. The incident highlights risks in third-party integrations and supply chain attacks but lacks public disclosure of technical remediation details.

The breach resulted in unauthorized access to business contact and support data of Klue customers via compromised OAuth tokens. The incident affected multiple organizations using Klue's Salesforce integration, potentially exposing sensitive business information. The attack led to disruption of Klue-Salesforce integrations, which remain disabled, impacting normal operations. Secondary extortion campaigns emerged after the initial threat actor was hacked, increasing risk of further data exposure or ransom demands. No evidence of exploitation beyond data exfiltration has been publicly reported.

Salesforce and other affected integrations have been disabled by the vendors to prevent further unauthorized access. Klue is investigating the incident and has communicated privately with customers. There is no public information on patches or fixes; therefore, patch status is not yet confirmed—check vendor advisories for updates. Organizations using Klue integrations should monitor vendor communications and avoid re-enabling affected integrations until official guidance is provided. No specific mitigation steps beyond disabling integrations and investigation have been disclosed.