Protos Labs Threat Intelligence
.png)
The evidence supports a High-severity SaaS trust-chain compromise: Klue's integration environment was accessed through a compromised legacy credential / previously compromised GitHub PAT associated with the integration environment, attackers harvested OAuth tokens, and those tokens were then used to reach downstream Salesforce- and Gong-connected environments and extract CRM/business data C2 C3 C4.
Klue's July 1 public communications extend the record beyond the original June reporting window: the company said the unauthorized code insertion occurred on June 11, and its CrowdStrike-backed summary says there was no evidence of threat actor activity after June 12 inside Klue's environment C21.
SecurityWeek's late-June reporting adds a carefully scoped development: roughly two dozen Klue customers had publicly confirmed compromised Salesforce instances by the time of publication, Salesforce disabled the Klue integration on June 17, Gong also disabled the integration, and Klue privately told customers it had been in contact with the threat actor. SecurityWeek further reported that Klue said stolen data had started being deleted and that the Icarus-related material may have moved into the hands of another actor running its own extortion campaign; this is a reported claim, not independently verified here C9 C10 C11 C12 C13 C14 C15 C16 C23.
Key recommended actions are to revoke dormant integration trust, rotate tokens and secrets, quarantine suspicious connected apps, and alert impacted users to phishing and social-engineering follow-on risk C16 C17 C18 C19.
1. Upstream trust abuse, not a platform flaw HIGH CONFIDENCE
The compromise originated from a stale legacy credential tied to a prototype integration, and the collected evidence does not support a Salesforce core vulnerability narrative C2.
2. OAuth token theft was the operational bridge HIGH CONFIDENCE
Attackers used the initial foothold to harvest OAuth tokens and then replayed them against customer Salesforce environments, which is the critical bridge from vendor compromise to downstream data access C3 C4.
3. Victim impact was concentrated in CRM and support data HIGH CONFIDENCE
Confirmed victim disclosures consistently describe exposure of business contacts, sales or CRM records, and in some cases limited support-case information, while stating that core products and infrastructure were not affected C9 C10 C11 C12.
4. Icarus attribution is credible but not fully resolved MEDIUM CONFIDENCE
The campaign is credibly linked to the Icarus leak-site/extortion brand, but the collected evidence does not independently confirm the operator’s identity or whether the branding maps to any known prior cluster. Klue reportedly told customers that Icarus may itself have been compromised, yet the best-supported judgment is still plausible but unconfirmed and merits only Medium-Low Confidence C13 C15 C23.
| Level | Assessment | What drives it | Primary implication |
|---|---|---|---|
| High | Yes | Trusted integration compromise enabled downstream token replay and data extraction across multiple organizations. | Broad SaaS governance and token hygiene are urgent. |
| Medium | Yes | Victim scope beyond the best-documented companies is partly secondary-report based, so exact field-level exposure is incomplete for several named firms. | Some downstream impact detail still needs primary-source confirmation. |
The core risk is systemic: a single dormant integration identity can become a high-value pivot into many customer tenants. Because the stolen data is mostly business contact and CRM content, the likely downstream harm is targeted phishing, social engineering, and extortion pressure rather than direct technical disruption C19.
| Date | Event | Confidence | Key support |
|---|---|---|---|
| 2026-06-11 | Attackers used a compromised legacy credential / previously compromised GitHub PAT associated with Klue’s integration environment to insert unauthorized code into the integration service and begin token-harvesting activity. | High | Klue July 1 update and CrowdStrike summary. |
| 2026-06-12 | Klue identified unauthorized activity affecting integration infrastructure; CrowdStrike’s findings indicated no further threat actor activity inside Klue’s environment after this date. | High | Primary disclosure and CrowdStrike summary. |
| 2026-06-13 | Klue issued a general customer alert. | High | Reconstruction artifact. |
| 2026-06-16 | Extortion emails and leak-site pressure became visible. | High | Huntress reporting summarized in the timeline workstream. |
| 2026-06-17 | Salesforce disabled the Klue integration; Gong also disabled the integration after the incident. | High | Salesforce advisory, Gong statement, and SecurityWeek reporting. |
| 2026-06-18 | Public reporting linked the campaign to Icarus and disclosure converged. | High | Vendor statements and media reporting. |
| 2026-06-19 | Huntress confirmed Klue appeared on the Icarus leak site. | High | Timeline reconstruction. |
| 2026-06-22 | Icarus published stolen data on the leak site and the victim list continued to expand. | High | Huntress update and late-June reporting. |
| 2026-06-24 | SecurityWeek reported roughly two dozen Klue customers had publicly confirmed compromised Salesforce instances, alongside ongoing private disclosures. | High | SecurityWeek summary in reconstruction. |
| 2026-06-25 to 2026-06-30 | SecurityWeek reported Klue privately told customers that Icarus may itself have been compromised; this remains plausible but unconfirmed and should be treated as a reported claim, not a verified fact. | Medium-Low | SecurityWeek late-June report; reported claim only. |
| Stage | Observed behavior | Assessment |
|---|---|---|
| Initial access | Compromised legacy credential tied to a prototype integration. | Governance failure; not a platform flaw. |
| Execution | Malicious code update inserted into the integration flow. | Designed to collect OAuth tokens. |
| Collection | OAuth tokens harvested from the compromised integration path. | Critical bridge into customer SaaS. |
| Access / query | Tokens replayed against downstream Salesforce environments. | API-driven access to CRM records. |
| Exfiltration | Bulk extraction of CRM, business-contact, and limited support-case data. | Primary objective appears to be data theft and extortion. |
| Extortion | Leak-site postings and direct victim pressure followed. | Consistent with Icarus branding and monetization model. |
At a tactical level, the attack resembles an upstream SaaS supply-chain compromise: a privileged integration identity is abused, token material is captured, and downstream APIs are queried at scale. The evidence repeatedly frames the issue as a problem with the Klue app connection, not with Salesforce core services C2.
| Victim | Confirmed exposed data | Core systems impacted? | Confidence |
|---|---|---|---|
| LastPass | Customer names, phone numbers, email addresses, physical addresses, support case information. | No | High |
| Recorded Future | Business data fields in Salesforce; client contact names and emails; some business contract information. | No | High |
| Snyk | Business contact information; title and description of a limited subset of support cases. | No | High |
| Huntress | Business contacts, price quotes, sales-related messaging, names, work emails, job titles, phone numbers, business addresses, opportunity notes. | No | High |
| Other named victims | Tanium, Jamf, HackerOne, BeyondTrust, OneTrust, Sprout Social, and Insurity were reported, but field-level scope is incomplete in the collected set. | Varies | Medium to Low |
The repeated pattern is business-contact and CRM exposure, sometimes extending to support-case metadata. SecurityWeek's late-June reporting also raised the possibility that some downstream victim data may have circulated beyond the original Icarus operators if another extortion actor received the stolen material; that point remains a reported claim rather than a confirmed fact in this report. Even so, these fields are enough to craft convincing phishing, vendor impersonation, and payment-redirection attempts when product systems remain intact C20 C23.
This incident fits a broader pattern seen in prior Salesloft / Drift-style token-theft and trusted-integration abuse cases: an upstream SaaS or integration trust relationship is compromised, OAuth or session material is abused, and downstream customer tenants are queried through legitimate APIs rather than direct platform exploitation C22.
That matters because these campaigns often produce low-noise access that blends into normal automation. The operational lesson is to monitor and govern the trust chain itself, especially legacy integration identities, connected apps, token lifecycle, and unusual SaaS API patterns C18.
| Type | Value | Context | Confidence |
|---|---|---|---|
| IP | 138.226.246[.]94 | Reported suspicious infrastructure tied to the activity. | High |
| IP | 212.86.125[.]24 | Reported suspicious infrastructure tied to the activity. | High |
| IP | 213.111.148[.]90 | Reported suspicious infrastructure tied to the activity. | High |
| IP | 94.154.32[.]160 | Reported suspicious infrastructure tied to the activity. | High |
| User-Agent | Python-urllib/3.12 | Observed in Salesforce API query activity. | High |
| User-Agent | Python-urllib/3.14 | Observed in Salesforce API query activity. | High |
| User-Agent | 5238 | Dominant UA value in malicious Salesforce requests. | Medium |
| User-Agent | blank / empty | Observed in malicious Salesforce requests. | Medium |
| API path | /services/data/v59.0/sobjects | Salesforce object enumeration / reconnaissance. | High |
| API path | /services/data/v59.0/query | Salesforce data retrieval. | High |
| Phrase | top secret email | Extortion email subject line. | High |
| Phrase | Your data has been downloaded | Extortion message wording. | High |
| Alias | mr bean | Sender alias in extortion emails. | High |
| Messaging | Session Messenger ID | Extortion contact channel. | High |
Key insight: treat these as defensive observables unless local telemetry confirms malicious use in your environment.
| Technique | ATT&CK ID | Evidence support | Confidence |
|---|---|---|---|
| Valid Accounts | T1078 | Compromised legacy credential used for access. This is the best-fit label for the observed access path. | High |
| Steal or Forge Authentication Certificates or Tokens | T1649 | OAuth token theft / abuse. The evidence supports token capture and replay, although the exact token-handling step is inferred from reporting rather than directly observed on the page. | High |
| Cloud Service Discovery | T1526 | Salesforce object enumeration via /services/data/v59.0/sobjects. This is an evidence-based approximation for cloud-service enumeration. | High |
| Data from Information Repositories | T1213 | API-based retrieval via /services/data/v59.0/query. The observed querying aligns with repository collection from SaaS data stores. | High |
| External Remote Services | T1133 | Abuse of connected SaaS trust relationships. Applied here only as an approximate fit for the trusted integration pivot. | Medium |
| Exfiltration to Web Service | T1567.002 | SaaS API-driven retrieval of customer Salesforce data. The record supports web-service-based exfiltration of business data. | Medium |
The ATT&CK profile is narrow and evidence-based: access, token theft, cloud discovery, and API-based collection/exfiltration. Where the behavior is only approximate, the mapping is labeled accordingly so the table does not overstate certainty.
| Priority | Control area | Action | Why it matters |
|---|---|---|---|
| 1 | Credential lifecycle | Retire dormant, prototype, and legacy credentials; rotate connected-app secrets, refresh tokens, service-account passwords, and API keys. | Stops stale trust from becoming the initial access vector. |
| 2 | Integration governance | Inventory every SaaS connection, owner, scope, and business purpose; require admin approval and least privilege for sensitive apps. | Reduces the blast radius of third-party trust relationships. |
| 3 | Monitoring / detection | Alert on REST API enumeration, bulk /query bursts, pagination abuse, and automation user agents such as Python-based clients. | Identifies token abuse before large-scale exfiltration completes. |
| 4 | Platform hardening | Use short-lived access tokens, refresh-token rotation, IP restrictions, and single logout/session invalidation where supported. | Limits replay window and constrains where stolen tokens work. |
| 5 | Incident response | Coordinate rapid revocation of OAuth grants, refresh tokens, connected-app sessions, and affected service identities; temporarily quarantine suspicious integrations. | Minimizes dwell time once suspicious activity is detected. |
| 6 | Human-risk reduction | Issue anti-phishing and verification guidance whenever CRM or business-contact data may have been exposed. | Protects employees and customers from follow-on social engineering. |
The highest-value control is simple: treat non-human identities like privileged assets. If a prototype credential or connected-app grant can linger indefinitely, then one vendor compromise can cascade into many customer tenants C16 C17 C18.
Protos AI automates CTI investigations using agentic AI — from OSINT collection to structured analysis. Speak to our team to see it in action.