CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 24, 2026

Scope of Salesforce Attacks Expands as Icarus Leaks Data

Dark Reading Archived Jun 24, 2026 ✓ Full text saved

More victims have emerged after attackers breached application vendor Klue and used its OAuth tokens to steal customers' Salesforce data.

Full text archived locally
✦ AI Summary · Claude Sonnet


    CYBERATTACKS & DATA BREACHES CYBER RISK VULNERABILITIES & THREATS APPLICATION SECURITY NEWS Scope of Salesforce Attacks Expands as Icarus Leaks Data More victims have emerged after attackers breached application vendor Klue and used its OAuth tokens to steal customers' Salesforce data. Rob Wright,Senior News Director,Dark Reading June 23, 2026 4 Min Read SOURCE: MIKKELWILLIAM VIA GETTY IMAGES The latest wave of Salesforce data thefts impacted several technology and cybersecurity companies, and the extortion group behind the attacks indicated more victims are coming. The attacks first came to light June 17 when Salesforce disabled integration with Klue's Battlecards application following a breach at the app vendor. Cybersecurity vendor Huntress was the first company to publicly acknowledge its Salesforce data had been compromised, and extortion group Icarus took credit for attacks and warned more victims would emerge. Since then, additional companies have issued disclosures regarding compromised Salesforce data. LastPass said yesterday in a blog post that it was affected by the attacks. While threat actors accessed customer data within the password manager's Salesforce instance, LastPass emphasized that its products, services, and infrastructure were unaffected and that "customer vaults remain secure." Related:FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist LastPass also noted that while Klue's market intelligence platform integrated with its Gong systems, there was "no evidence the threat actor accessed any Gong-related data." Like many organizations that disclosed compromised Salesforce instances, LastPass said it immediately suspended all company access to Klue, rotated exposed API access tokens, and launched an investigation into the attack. Additional cybersecurity and technology companies that disclosed attacks include HackerOne, Recorded Future, Jamf, Snyk OneTrust, Insurity, Tanium, and Sprout Social. Scope of Klue OAuth Token Abuse It appears threat actors may have access to more than just Salesforce instances. Gong itself published a blog post Friday stating that attackers may have accessed "internal licensed user data" for a subset of Gong customers that used the Klue integration. The Gong data accessed includes usernames, user business titles, and user emails, according to the company. "To be clear: this was an incident that originated with third-party integrator Klue. It was not a direct breach of Gong’s own products or systems," the company stated. "Impacted customers were those who chose to connect Klue with Gong. Gong has not identified any direct impact to customer call recordings or transcripts." Gong added that Klue provided the company with four suspicious IP addresses, which Gong blocked. After investigating the activity tied to the IP address, Gong determined some customer data was compromised. Dark Reading contacted Gong for further comment. The compromise of more Salesforce instances and Gong user emails could raise concerns about exposed secrets. In previous Salesforce attacks last year — which were tied to the breach of another third-party app vendor, Salesloft — some victims acknowledged that their instances contained secrets. For example, Cloudflare discovered 104 API tokens in its Salesforce instance, which were contained in some support case data files. Those tokens were promptly rotated.  Related:Crypto Heist Fueled by Elaborate Fake Reputation-Boosting Campaign The specter of last year's attacks may have prompted companies affected by Icarus's campaign to carefully review impacted data for any potential secrets or sensitive information beyond what would traditionally be contained in Salesforce instances.  For example, HackerOne noted in its disclosure that it has "strict data segmentation policies and controls" that prohibit customer vulnerability data from its CRM systems. "Further, our preliminary forensic investigation has found no indication that any such data was accessed," the company said.  Icarus Gang Leaks Stolen Data On its Dark Web leak site, Icarus previously set a Monday deadline for Klue customers to contact the extortion group. And sure enough, Icarus began posting victims' data organizations, albeit with company names partially redacted. At press time, six Klue customers were listed on the site.  Related:Salesforce Data Thefts Continue via Klue App Compromise Huntress confirmed in a Monday update that the data posted by Icarus was in line with the scope previously determined by its investigation. Additionally, the cybersecurity vendor confirmed that no products, infrastructure data, telemetry, passwords, or payment card information was accessed. "The files for Huntress are limited to Salesforce data, which includes business contact information (e.g., full names, work emails, job title, phone number, and business addresses), business names, products trialed/used, subscription details (units, pricing), and sales-related communications (such as price quotes, contacts, and tasks) with Huntress customers and partners, as well as opportunity notes (i.e., free form fields where teammates can capture and track thoughts and next steps)," Huntress said.  In an accompanying video, Tom Lawrence, community growth strategist at Huntress, said the primary risk of the Salesforce compromise was threat actors sending Huntress customers a targeted and convincing message for a social engineering attack. Therefore, he said, customers should verify any incident-related messages through known channels only, and verify messages out-of-band on a separate channel before, say, transferring funds or handing over credentials. About the Author Rob Wright Senior News Director, Dark Reading Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends.  Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. At TechTarget and Dark Reading, he has won several Azbee awards, including the 2026 National Silver Award for a series on vibe coding.  At Dark Reading, Rob currently covers security operations, cloud security, and Internet infrastructure. He has a keen interest in malvertising activity and the certificate authority industry, and has written extensively on both topics. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.  Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack More Webinars You May Also Like CYBERATTACKS & DATA BREACHES Critical Fortinet Flaws Under Active Attack by Jai Vijayan, Contributing Writer DEC 17, 2025 CYBERATTACKS & DATA BREACHES CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks by Rob Wright DEC 04, 2025 CYBERATTACKS & DATA BREACHES F5 BIG-IP Environment Breached by Nation-State Actor by Alexander Culafi OCT 15, 2025 CYBERATTACKS & DATA BREACHES Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business by Robert Lemos, Contributing Writer OCT 03, 2025 Editor's Choice APPLICATION SECURITY FIFA Bug Exposes World Cup Streams to Remote Takeover byNate Nelson JUN 18, 2026 4 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ CYBER RISK UK Social Media Ban for Minors Has Privacy Experts Worried byRobert Lemos JUN 17, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 24, 2026
    Archived
    Jun 24, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗