Cybersecurity Firms Impacted by Klue Supply Chain Attack
Security WeekArchived Jun 19, 2026✓ Full text saved
The hackers exfiltrated data from Salesforce instances of Klue customers, such as Huntress and Recorded Future. The post Cybersecurity Firms Impacted by Klue Supply Chain Attack appeared first on SecurityWeek .
Full text archived locally
✦ AI Summary· Claude Sonnet
Cybersecurity firms Huntress and Recorded Future have disclosed the impact of a supply chain attack that hit market intelligence platform Klue.
The attack started on June 11 and affected systems associated with software platform integrations. The hackers connected to Klue’s backend servers and executed unauthorized commands, pushing a code update to harvest OAuth tokens for customers’ Klue integrations.
Klue notified customers of the incident on June 12, warning that it had deactivated OAuth tokens for all customers and disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.
According to ReliaQuest, the hackers abused the Salesforce REST API to exfiltrate large volumes of customer relationship management (CRM) data over a 24-hour window, “including a concentrated burst of nearly a thousand queries in 15 minutes and sustained extraction windows lasting over 6 hours”.
On June 17, Salesforce disabled the Klue Battlecards app integration, warning that it “detected unusual activity involving the app that may have resulted in unauthorized access to a subset of customer data via the app’s connection to Salesforce”.
On Thursday, both Huntress and Recorded Future confirmed that they were among the companies affected by the supply chain attack.
“The data that was copied from our Salesforce account includes business contacts, price quotes, and other sales-related data and messaging. No threat data, passwords, payment card information, or engineering data relating to the Huntress agent or telemetry we collect was affected,” Huntress said.
Recorded Future noted, “While our investigation is ongoing, we believe the impact was limited to business data fields stored in our Salesforce database, such as client contact names and email addresses. Certain business contract information may also have been potentially included in the impacted data.”
The incident was limited to the Klue-Salesforce integration and the attackers did not access any systems belonging to or maintained by the two cybersecurity firms.
Huntress noted that several other cybersecurity companies use Klue, but no other firm appears to have publicly disclosed impact from the attack.
The attack follows the same pattern observed in previous Salesforce, Salesloft Drift, and Gainsight incidents, which have been attributed to ShinyHunters and UNC6395, but appears to have been mounted by a new threat actor.
Huntress said it received attempted extortion communication from a threat actor calling itself “Mr Brean”, who pointed to a Session Messenger ID associated with Icarus, an extortion group that emerged in April 2026.
Icarus’ leak site has one entry from early May, with the data allegedly stolen from the victim already published (albeit no longer available), and another from June 16, which points to data stolen from Salesforce.
“With those matching data points, we have high confidence that the Icarus actor is responsible for the Klue compromise and this supply chain attack,” Huntress says.
While it has shared details of the attack with its customers, Klue has not made a public announcement on the matter. SecurityWeek has emailed the company for a statement and will update this article if it responds.
Related: Atomic Arch Supply Chain Attack Hits 1,500 AUR Packages
Related: Over 100 NPM, PyPI Packages Hit in New Shai-Hulud Supply Chain Attacks
Related: Maine Disables Data Breach Portal Due to Fake Submissions
Related: White House Issues Memo to Bolster NSS Cybersecurity
WRITTEN BY
Ionut Arghire
Ionut Arghire is an international correspondent for SecurityWeek.
More from Ionut Arghire
Dream Raises $260 Million at $3 Billion Valuation
Atlassian, Splunk Patch Critical Vulnerabilities
Critical Command Execution Vulnerability Patched in Cisco ISE
F5 Patches Critical, High-Severity NGINX Vulnerabilities
Microsoft Teams Relay Servers Abused in DragonForce Ransomware Attack
Microsoft Working on Patch for ‘RoguePlanet’ Zero-Day
Chrome and Firefox Updated to Patch Critical, High-Severity Vulnerabilities
Joomla, LiteSpeed Vulnerabilities Exploited in Attacks
Latest News
CryptoBandits Malware Doubles as a Backdoor, Abuses Tor
FortiBleed: 86,000 Fortinet Device Credentials Compromised
Cisco to Acquire WideField Security to Boost Splunk’s Agentic SOC
15,000 WordPress Websites Cleaned Up in SocGholish Botnet Takedown
Splunk Enterprise Vulnerability Exploited in Attacks Days After Disclosure
Majority of Internet-Accessible REDCap Servers Outdated
Accenture to Acquire Majority Stake in Dragos, All of runZero, NetRise in $4.1 Billion OT Cybersecurity Push
No Exploits Required
Trending
Webinar: How Modern Breaches Bypass MFA And Evade Detection
June 17, 2026
Today’s attackers are no longer breaking in — they’re logging in. Join this live webinar as we break down the modern identity attack chain and examine how recent breaches exploited weaknesses in authentication, identity verification, and access management processes.
Register
Webinar: Modern Exposure Validation In The AI Era
June 24, 2026
AI has accelerated both sides of the fight. Adversaries are weaponizing vulnerabilities faster, while defenders are racing to ship detections and configurations. Join this live webinar as we explore how to prove your controls actually hold against new threats, map your security maturity, and unite breach simulation with automated pentesting into a single, coordinated program.
Register
People on the Move
SolarWinds has appointed Justin Henkel as Chief Information Security Officer.
J. Paul Haynes has joined Cinchy as Chief Executive Officer.
Hatem Naguib has become Chief Executive Officer at Sysdig.
More People On The Move
Expert Insights
No Exploits Required
Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley)
After AI Reaches Production: 12 Ways Security Teams Can Take Control
Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb)
Everybody Is Vibe Coding But Nobody Told The Security Team
AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au)
The Zero-Knowledge Threat Actor And The End Of Responsible Disclosure
AI can help attackers generate malware, create malicious payloads, bypass simple security checks, and convert vague malicious intent into functional code. (Etay Maor)
Raising The Cybersecurity Stakes: Ante Up For The Agentic Era
CISOs are now facing machine-speed attacks and asking, “How do I agent?” The industry must provide remediation at scale. (Nadir Izrael)
Flipboard
Reddit
Whatsapp
Email