Klue, a Vancouver-based market-intelligence and competitive-enablement SaaS platform, disclosed on June 19, 2026 that attackers stole data from an undisclosed number of its customers during a cyberattack carried out between June 11 and June 12, 2026. The intrusion hit Klue’s Salesforce integration, and a cybercrime group calling itself Icarus has claimed responsibility, listing the company on its leak site and threatening to publish the stolen data unless it is paid. The story did not stay contained to Klue. Within days, downstream victims started surfacing, and LastPass confirmed that its own sales data had been exposed because it used Klue internally.
This is a textbook third-party extortion incident, and it lands squarely inside the broader wave of Salesforce-integration breaches that has dominated enterprise security headlines for the better part of a year.
What Happened
Klue’s platform helps revenue and product teams track competitors, and to do that it plugs directly into the CRM systems where customer and deal data lives. The most consequential of those connections is Salesforce. According to disclosures and reporting, Icarus obtained access to Klue’s environment and abused the trust relationship between Klue and the Salesforce instances it was authorized to read. Rather than breaking into each customer’s Salesforce tenant one at a time, the attackers leveraged Klue’s integration to reach connected environments and exfiltrate data in bulk using automated scripts.
The mechanism at the center of the incident is OAuth token theft. Klue, like most modern SaaS connectors, holds OAuth tokens that grant it standing access to customer Salesforce orgs. Steal those tokens, and you inherit Klue’s permissions without ever touching a password or triggering a login prompt. That is precisely the kind of access Icarus is alleged to have used to pull customer records out of connected Salesforce environments.
In response, Salesforce disabled the Klue integration, and Gong reportedly did the same on its side. Multiple affected organizations have since revoked their own Klue connections.
The Blast Radius: When the Victims Are Security Firms
The detail that made this breach notable is who got hit. Klue’s customer base skews toward sophisticated B2B vendors, and a striking number of them are cybersecurity companies. As investigators worked through the victim list, more than a dozen organizations were identified, and the roster included names that are normally on the defending side of these stories.
LastPass confirmed on June 23 that the Icarus group accessed its Salesforce CRM environment by way of stolen Klue OAuth tokens. The exposed data included customer names, phone numbers, email addresses, physical addresses, and the contents of support cases. Critically, LastPass stated that encrypted password vaults and master passwords were not affected. This was a sales and support CRM exposure, not a vault compromise. That distinction matters enormously given LastPass’s history, but it does not erase the reality that customer contact data and support correspondence are now in the hands of an extortion crew.
LastPass was not alone. Other security and intelligence vendors were named among the downstream victims, and several confirmed that attackers accessed certain customer data before they revoked their Klue integrations. The pattern is consistent: each was breached not through its own perimeter, but through a shared dependency on a single market-intelligence vendor.
There is a grim irony in watching threat-intelligence and identity-security companies show up as collateral damage in someone else’s breach. It is also a clean illustration of the core lesson: your security posture is only as strong as the least-hardened vendor you have handed CRM access to.
Why Market-Intelligence Vendors Are a High-Value Target
Competitive-enablement and market-intelligence platforms occupy a uniquely dangerous position in the SaaS supply chain. To do their job, they ingest sales and CRM data across a wide swath of enterprises. A single market-intel vendor may hold standing read access to the Salesforce orgs of hundreds of customers, each containing deal pipelines, customer contacts, and support histories.
That concentration is the prize. An attacker who compromises one such vendor does not get one company’s data. They get a slice of every customer that vendor serves. The economics of extortion reward exactly this kind of fan-out, which is why third-party SaaS connectors have become the preferred path into well-defended enterprises. The Klue incident is a near-perfect example of the multiplier effect that comes from breaching a hub instead of a spoke.
This is the same structural risk we covered when ShinyHunters struck through a third-party Salesforce attack affecting roughly 200 companies. The Klue breach reads like another chapter in that same playbook.
The Salesforce-Integration Breach Wave
Icarus may be a new name on the leak-site circuit, but the tactics are familiar. Over the past year, the dominant enterprise breach story has been the systematic targeting of Salesforce environments through connected apps and social engineering. The ShinyHunters Salesforce enterprise campaign demonstrated how effective it is to attack the integration layer and the people who manage it, rather than Salesforce’s core platform itself. We have watched the same approach claim victim after victim, including the recent Charter/Spectrum vishing-driven Salesforce breach.
Whether Icarus is a rebrand, an offshoot, or an entirely independent crew, it is operating in a proven niche. The connected-app threat model is now well understood by attackers: find a SaaS vendor with broad OAuth scopes into customer CRMs, compromise it, and harvest at scale. Salesforce’s decision to cut the Klue integration is a containment measure, not a cure, because the underlying pattern keeps re-emerging through different vendors.
What Defenders Should Do Now
For organizations that used Klue, the immediate steps are straightforward and urgent. Revoke and rotate any OAuth tokens and API credentials associated with the integration. Audit Salesforce connected-app permissions and pull access logs for the June 11-12 window, looking for bulk export activity and unfamiliar API clients. Assume that any data the integration could read may have been taken.
The broader lesson is about governance. Treat every SaaS connector with CRM access as a privileged identity. Apply least-privilege scopes instead of granting blanket read access, set short token lifetimes, monitor for anomalous bulk reads, and maintain an inventory of which third parties can reach your customer data and what they can do with it. Vendor questionnaires are not enough when a single compromised connector can expose your entire customer base.
For affected customers downstream, the practical risk is targeted phishing. Names, emails, phone numbers, and support-case details are exactly the raw material attackers use to craft convincing pretexts, and the LastPass exposure in particular is likely to fuel credential-themed lures. Anyone whose data sat in an affected Salesforce org should treat unexpected support or security-themed outreach with suspicion in the coming weeks.
The Bottom Line
The Klue breach is a small vendor with an outsized blast radius. Icarus did not need to defeat Salesforce, LastPass, or any of the other named security firms head-on. It needed to compromise the one market-intelligence platform they all trusted with CRM access. That is the entire supply-chain thesis in a single incident, and it is why the integration layer remains the softest target in the enterprise stack.
