July 8, 2026

Klue / Icarus June 2026 Intrusion — Full Intelligence Report

Protos Labs Threat Intelligence

#Klue #Icarus #Salesforce #OAuth #SupplyChain #ThreatIntelligence #CyberSecurity #DataBreach

Klue / Icarus June 2026 Incident Threat Intelligence Report

TLP:CLEAR Analyst: Protos AI Threat Intelligence Date: 2026-07-02 Reporting Period: 2026-06-01 → 2026-06-30

Executive Summary

Overall Severity
High
Trusted SaaS integration abuse enabled downstream CRM data theft across multiple victims.
Confidence
High
The core intrusion chain is strongly supported; actor identity remains less certain.
Reporting Period
2026-06-01 → 2026-06-30
June 2026 intrusion, disclosure, and downstream victim expansion window.
Recommended Action
Revoke dormant integration trust
Immediate priority for SaaS-connected credentials, tokens, and service identities.

The evidence supports a High-severity SaaS trust-chain compromise: Klue's integration environment was accessed through a compromised legacy credential / previously compromised GitHub PAT associated with the integration environment, attackers harvested OAuth tokens, and those tokens were then used to reach downstream Salesforce- and Gong-connected environments and extract CRM/business data C2 C3 C4.

Klue's July 1 public communications extend the record beyond the original June reporting window: the company said the unauthorized code insertion occurred on June 11, and its CrowdStrike-backed summary says there was no evidence of threat actor activity after June 12 inside Klue's environment C21.

SecurityWeek's late-June reporting adds a carefully scoped development: roughly two dozen Klue customers had publicly confirmed compromised Salesforce instances by the time of publication, Salesforce disabled the Klue integration on June 17, Gong also disabled the integration, and Klue privately told customers it had been in contact with the threat actor. SecurityWeek further reported that Klue said stolen data had started being deleted and that the Icarus-related material may have moved into the hands of another actor running its own extortion campaign; this is a reported claim, not independently verified here C9 C10 C11 C12 C13 C14 C15 C16 C23.

Key recommended actions are to revoke dormant integration trust, rotate tokens and secrets, quarantine suspicious connected apps, and alert impacted users to phishing and social-engineering follow-on risk C16 C17 C18 C19.

Key Findings

1. Upstream trust abuse, not a platform flaw HIGH CONFIDENCE

The compromise originated from a stale legacy credential tied to a prototype integration, and the collected evidence does not support a Salesforce core vulnerability narrative C2.

2. OAuth token theft was the operational bridge HIGH CONFIDENCE

Attackers used the initial foothold to harvest OAuth tokens and then replayed them against customer Salesforce environments, which is the critical bridge from vendor compromise to downstream data access C3 C4.

3. Victim impact was concentrated in CRM and support data HIGH CONFIDENCE

Confirmed victim disclosures consistently describe exposure of business contacts, sales or CRM records, and in some cases limited support-case information, while stating that core products and infrastructure were not affected C9 C10 C11 C12.

4. Icarus attribution is credible but not fully resolved MEDIUM CONFIDENCE

The campaign is credibly linked to the Icarus leak-site/extortion brand, but the collected evidence does not independently confirm the operator’s identity or whether the branding maps to any known prior cluster. Klue reportedly told customers that Icarus may itself have been compromised, yet the best-supported judgment is still plausible but unconfirmed and merits only Medium-Low Confidence C13 C15 C23.

Risk Assessment

LevelAssessmentWhat drives itPrimary implication
HighYesTrusted integration compromise enabled downstream token replay and data extraction across multiple organizations.Broad SaaS governance and token hygiene are urgent.
MediumYesVictim scope beyond the best-documented companies is partly secondary-report based, so exact field-level exposure is incomplete for several named firms.Some downstream impact detail still needs primary-source confirmation.

The core risk is systemic: a single dormant integration identity can become a high-value pivot into many customer tenants. Because the stolen data is mostly business contact and CRM content, the likely downstream harm is targeted phishing, social engineering, and extortion pressure rather than direct technical disruption C19.

Timeline Reconstruction

DateEventConfidenceKey support
2026-06-11Attackers used a compromised legacy credential / previously compromised GitHub PAT associated with Klue’s integration environment to insert unauthorized code into the integration service and begin token-harvesting activity.HighKlue July 1 update and CrowdStrike summary.
2026-06-12Klue identified unauthorized activity affecting integration infrastructure; CrowdStrike’s findings indicated no further threat actor activity inside Klue’s environment after this date.HighPrimary disclosure and CrowdStrike summary.
2026-06-13Klue issued a general customer alert.HighReconstruction artifact.
2026-06-16Extortion emails and leak-site pressure became visible.HighHuntress reporting summarized in the timeline workstream.
2026-06-17Salesforce disabled the Klue integration; Gong also disabled the integration after the incident.HighSalesforce advisory, Gong statement, and SecurityWeek reporting.
2026-06-18Public reporting linked the campaign to Icarus and disclosure converged.HighVendor statements and media reporting.
2026-06-19Huntress confirmed Klue appeared on the Icarus leak site.HighTimeline reconstruction.
2026-06-22Icarus published stolen data on the leak site and the victim list continued to expand.HighHuntress update and late-June reporting.
2026-06-24SecurityWeek reported roughly two dozen Klue customers had publicly confirmed compromised Salesforce instances, alongside ongoing private disclosures.HighSecurityWeek summary in reconstruction.
2026-06-25 to 2026-06-30SecurityWeek reported Klue privately told customers that Icarus may itself have been compromised; this remains plausible but unconfirmed and should be treated as a reported claim, not a verified fact.Medium-LowSecurityWeek late-June report; reported claim only.

Intrusion Mechanics / Attack Chain

StageObserved behaviorAssessment
Initial accessCompromised legacy credential tied to a prototype integration.Governance failure; not a platform flaw.
ExecutionMalicious code update inserted into the integration flow.Designed to collect OAuth tokens.
CollectionOAuth tokens harvested from the compromised integration path.Critical bridge into customer SaaS.
Access / queryTokens replayed against downstream Salesforce environments.API-driven access to CRM records.
ExfiltrationBulk extraction of CRM, business-contact, and limited support-case data.Primary objective appears to be data theft and extortion.
ExtortionLeak-site postings and direct victim pressure followed.Consistent with Icarus branding and monetization model.

At a tactical level, the attack resembles an upstream SaaS supply-chain compromise: a privileged integration identity is abused, token material is captured, and downstream APIs are queried at scale. The evidence repeatedly frames the issue as a problem with the Klue app connection, not with Salesforce core services C2.

Compromised legacy credential
Klue integration infrastructure
Malicious code update
OAuth token harvest
Downstream Salesforce API access
CRM / support data extraction
Leak-site extortion

Victim Impact and Exposed Data

VictimConfirmed exposed dataCore systems impacted?Confidence
LastPassCustomer names, phone numbers, email addresses, physical addresses, support case information.NoHigh
Recorded FutureBusiness data fields in Salesforce; client contact names and emails; some business contract information.NoHigh
SnykBusiness contact information; title and description of a limited subset of support cases.NoHigh
HuntressBusiness contacts, price quotes, sales-related messaging, names, work emails, job titles, phone numbers, business addresses, opportunity notes.NoHigh
Other named victimsTanium, Jamf, HackerOne, BeyondTrust, OneTrust, Sprout Social, and Insurity were reported, but field-level scope is incomplete in the collected set.VariesMedium to Low

The repeated pattern is business-contact and CRM exposure, sometimes extending to support-case metadata. SecurityWeek's late-June reporting also raised the possibility that some downstream victim data may have circulated beyond the original Icarus operators if another extortion actor received the stolen material; that point remains a reported claim rather than a confirmed fact in this report. Even so, these fields are enough to craft convincing phishing, vendor impersonation, and payment-redirection attempts when product systems remain intact C20 C23.

Trend Framing: SaaS / OAuth Trust-Chain Abuse

This incident fits a broader pattern seen in prior Salesloft / Drift-style token-theft and trusted-integration abuse cases: an upstream SaaS or integration trust relationship is compromised, OAuth or session material is abused, and downstream customer tenants are queried through legitimate APIs rather than direct platform exploitation C22.

That matters because these campaigns often produce low-noise access that blends into normal automation. The operational lesson is to monitor and govern the trust chain itself, especially legacy integration identities, connected apps, token lifecycle, and unusual SaaS API patterns C18.

Publicly Reported Indicators / Defensive Observables

TypeValueContextConfidence
IP138.226.246[.]94Reported suspicious infrastructure tied to the activity.High
IP212.86.125[.]24Reported suspicious infrastructure tied to the activity.High
IP213.111.148[.]90Reported suspicious infrastructure tied to the activity.High
IP94.154.32[.]160Reported suspicious infrastructure tied to the activity.High
User-AgentPython-urllib/3.12Observed in Salesforce API query activity.High
User-AgentPython-urllib/3.14Observed in Salesforce API query activity.High
User-Agent5238Dominant UA value in malicious Salesforce requests.Medium
User-Agentblank / emptyObserved in malicious Salesforce requests.Medium
API path/services/data/v59.0/sobjectsSalesforce object enumeration / reconnaissance.High
API path/services/data/v59.0/querySalesforce data retrieval.High
Phrasetop secret emailExtortion email subject line.High
PhraseYour data has been downloadedExtortion message wording.High
Aliasmr beanSender alias in extortion emails.High
MessagingSession Messenger IDExtortion contact channel.High

Key insight: treat these as defensive observables unless local telemetry confirms malicious use in your environment.

MITRE ATT&CK Mapping

TechniqueATT&CK IDEvidence supportConfidence
Valid AccountsT1078Compromised legacy credential used for access. This is the best-fit label for the observed access path.High
Steal or Forge Authentication Certificates or TokensT1649OAuth token theft / abuse. The evidence supports token capture and replay, although the exact token-handling step is inferred from reporting rather than directly observed on the page.High
Cloud Service DiscoveryT1526Salesforce object enumeration via /services/data/v59.0/sobjects. This is an evidence-based approximation for cloud-service enumeration.High
Data from Information RepositoriesT1213API-based retrieval via /services/data/v59.0/query. The observed querying aligns with repository collection from SaaS data stores.High
External Remote ServicesT1133Abuse of connected SaaS trust relationships. Applied here only as an approximate fit for the trusted integration pivot.Medium
Exfiltration to Web ServiceT1567.002SaaS API-driven retrieval of customer Salesforce data. The record supports web-service-based exfiltration of business data.Medium

The ATT&CK profile is narrow and evidence-based: access, token theft, cloud discovery, and API-based collection/exfiltration. Where the behavior is only approximate, the mapping is labeled accordingly so the table does not overstate certainty.

Prioritized Mitigations

PriorityControl areaActionWhy it matters
1Credential lifecycleRetire dormant, prototype, and legacy credentials; rotate connected-app secrets, refresh tokens, service-account passwords, and API keys.Stops stale trust from becoming the initial access vector.
2Integration governanceInventory every SaaS connection, owner, scope, and business purpose; require admin approval and least privilege for sensitive apps.Reduces the blast radius of third-party trust relationships.
3Monitoring / detectionAlert on REST API enumeration, bulk /query bursts, pagination abuse, and automation user agents such as Python-based clients.Identifies token abuse before large-scale exfiltration completes.
4Platform hardeningUse short-lived access tokens, refresh-token rotation, IP restrictions, and single logout/session invalidation where supported.Limits replay window and constrains where stolen tokens work.
5Incident responseCoordinate rapid revocation of OAuth grants, refresh tokens, connected-app sessions, and affected service identities; temporarily quarantine suspicious integrations.Minimizes dwell time once suspicious activity is detected.
6Human-risk reductionIssue anti-phishing and verification guidance whenever CRM or business-contact data may have been exposed.Protects employees and customers from follow-on social engineering.

The highest-value control is simple: treat non-human identities like privileged assets. If a prototype credential or connected-app grant can linger indefinitely, then one vendor compromise can cascade into many customer tenants C16 C17 C18.

Sources

  1. Klue primary disclosure — https://klue.com/blog/an-update-on-recent-klue-security-incident
  2. Salesforce status advisory — https://status.salesforce.com/generalmessages/20000257
  3. BleepingComputer — https://www.bleepingcomputer.com/news/security/klue-oauth-breach-linked-to-icarus-salesforce-data-theft-attacks/
  4. Huntress — https://www.huntress.com/blog/klue-breach-investigation
  5. Recorded Future — https://www.recordedfuture.com/blog/klue-security-incident
  6. SecurityWeek — https://www.securityweek.com/beyondtrust-lastpass-impacted-by-klue-salesforce-incident/
EXPERIENCE PROTOS AI

Run your own deep-dive analysis with Protos AI.

Protos AI automates CTI investigations using agentic AI — from OSINT collection to structured analysis. Speak to our team to see it in action.

Download Full Report

Klue / Icarus June 2026 Intrusion — Full Intelligence Report


Inquire Now
Inquire Now
Oops! Something went wrong while submitting the form.