What's Happening?
Between June 11 and June 24, 2026, Klue, a market intelligence SaaS provider, experienced a significant supply chain breach. The breach involved the compromise of OAuth tokens and the exfiltration of data from nearly 200 organizations, including major
cybersecurity vendors. The attackers exploited a legacy credential within Klue’s integration infrastructure, allowing them to harvest OAuth tokens and access connected Salesforce environments. The threat actor, identified as Icarus, exfiltrated business contact and sales data and attempted extortion via a Tor-based leak site. A secondary unauthorized party later accessed the same stolen data, launching a separate extortion campaign. No evidence was found of compromise to customer-facing products or sensitive engineering data, and no passwords or payment card data were affected.
Why It's Important?
This breach underscores the vulnerabilities inherent in third-party SaaS integrations and highlights the evolving tactics of modern threat actors. The incident primarily impacted cybersecurity vendors, insurance providers, and other SaaS customers, targeting business contact information and sales data. The breach demonstrates the risks associated with legacy credentials and the potential for OAuth token abuse, which can lead to significant data theft and extortion. Organizations using such integrations must reassess their security measures to prevent similar incidents. The breach also emphasizes the need for robust cybersecurity practices and the importance of monitoring third-party integrations to protect sensitive data.
What's Next?
Organizations affected by the breach are advised to keep their Klue integrations disabled until official guidance and remediation steps are provided. They should monitor communications from Klue and other affected vendors for updates on remediation and engage with incident response teams to assess potential exposure. Additionally, organizations should be vigilant for phishing campaigns leveraging exfiltrated data and educate staff to recognize suspicious emails. Legal counsel and law enforcement coordination may be necessary if extortion communications are received. Monitoring threat intelligence sources for updates on the breach and newly identified indicators of compromise is also recommended.
