Scope of Salesforce Attacks Expands as Icarus Leaks Data
Dark ReadingArchived Jun 24, 2026✓ Full text saved
More victims have emerged after attackers breached application vendor Klue and used its OAuth tokens to steal customers' Salesforce data.
Full text archived locally
✦ AI Summary· Claude Sonnet
CYBERATTACKS & DATA BREACHES
CYBER RISK
VULNERABILITIES & THREATS
APPLICATION SECURITY
NEWS
Scope of Salesforce Attacks Expands as Icarus Leaks Data
More victims have emerged after attackers breached application vendor Klue and used its OAuth tokens to steal customers' Salesforce data.
Rob Wright,Senior News Director,Dark Reading
June 23, 2026
4 Min Read
SOURCE: MIKKELWILLIAM VIA GETTY IMAGES
The latest wave of Salesforce data thefts impacted several technology and cybersecurity companies, and the extortion group behind the attacks indicated more victims are coming.
The attacks first came to light June 17 when Salesforce disabled integration with Klue's Battlecards application following a breach at the app vendor. Cybersecurity vendor Huntress was the first company to publicly acknowledge its Salesforce data had been compromised, and extortion group Icarus took credit for attacks and warned more victims would emerge.
Since then, additional companies have issued disclosures regarding compromised Salesforce data. LastPass said yesterday in a blog post that it was affected by the attacks. While threat actors accessed customer data within the password manager's Salesforce instance, LastPass emphasized that its products, services, and infrastructure were unaffected and that "customer vaults remain secure."
Related:FortiBleed Attackers Turn Firewalls Into Credential Stealers as Heists Persist
LastPass also noted that while Klue's market intelligence platform integrated with its Gong systems, there was "no evidence the threat actor accessed any Gong-related data."
Like many organizations that disclosed compromised Salesforce instances, LastPass said it immediately suspended all company access to Klue, rotated exposed API access tokens, and launched an investigation into the attack. Additional cybersecurity and technology companies that disclosed attacks include HackerOne, Recorded Future, Jamf, Snyk OneTrust, Insurity, Tanium, and Sprout Social.
Scope of Klue OAuth Token Abuse
It appears threat actors may have access to more than just Salesforce instances. Gong itself published a blog post Friday stating that attackers may have accessed "internal licensed user data" for a subset of Gong customers that used the Klue integration. The Gong data accessed includes usernames, user business titles, and user emails, according to the company.
"To be clear: this was an incident that originated with third-party integrator Klue. It was not a direct breach of Gong’s own products or systems," the company stated. "Impacted customers were those who chose to connect Klue with Gong. Gong has not identified any direct impact to customer call recordings or transcripts."
Gong added that Klue provided the company with four suspicious IP addresses, which Gong blocked. After investigating the activity tied to the IP address, Gong determined some customer data was compromised.
Dark Reading contacted Gong for further comment.
The compromise of more Salesforce instances and Gong user emails could raise concerns about exposed secrets. In previous Salesforce attacks last year — which were tied to the breach of another third-party app vendor, Salesloft — some victims acknowledged that their instances contained secrets. For example, Cloudflare discovered 104 API tokens in its Salesforce instance, which were contained in some support case data files. Those tokens were promptly rotated.
Related:Crypto Heist Fueled by Elaborate Fake Reputation-Boosting Campaign
The specter of last year's attacks may have prompted companies affected by Icarus's campaign to carefully review impacted data for any potential secrets or sensitive information beyond what would traditionally be contained in Salesforce instances.
For example, HackerOne noted in its disclosure that it has "strict data segmentation policies and controls" that prohibit customer vulnerability data from its CRM systems. "Further, our preliminary forensic investigation has found no indication that any such data was accessed," the company said.
Icarus Gang Leaks Stolen Data
On its Dark Web leak site, Icarus previously set a Monday deadline for Klue customers to contact the extortion group. And sure enough, Icarus began posting victims' data organizations, albeit with company names partially redacted. At press time, six Klue customers were listed on the site.
Related:Salesforce Data Thefts Continue via Klue App Compromise
Huntress confirmed in a Monday update that the data posted by Icarus was in line with the scope previously determined by its investigation. Additionally, the cybersecurity vendor confirmed that no products, infrastructure data, telemetry, passwords, or payment card information was accessed.
"The files for Huntress are limited to Salesforce data, which includes business contact information (e.g., full names, work emails, job title, phone number, and business addresses), business names, products trialed/used, subscription details (units, pricing), and sales-related communications (such as price quotes, contacts, and tasks) with Huntress customers and partners, as well as opportunity notes (i.e., free form fields where teammates can capture and track thoughts and next steps)," Huntress said.
In an accompanying video, Tom Lawrence, community growth strategist at Huntress, said the primary risk of the Salesforce compromise was threat actors sending Huntress customers a targeted and convincing message for a social engineering attack. Therefore, he said, customers should verify any incident-related messages through known channels only, and verify messages out-of-band on a separate channel before, say, transferring funds or handing over credentials.
About the Author
Rob Wright
Senior News Director, Dark Reading
Rob Wright is a longtime reporter with more than 25 years of experience as a technology journalist. Prior to joining Dark Reading as senior news director, he spent more than a decade at TechTarget's SearchSecurity in various roles, including senior news director, executive editor and editorial director. Before that, he worked for several years at CRN, Tom's Hardware Guide, and VARBusiness Magazine covering a variety of technology beats and trends.
Prior to becoming a technology journalist in 2000, he worked as a weekly and daily newspaper reporter in Virginia, where he won three Virginia Press Association awards in 1998 and 1999. At TechTarget and Dark Reading, he has won several Azbee awards, including the 2026 National Silver Award for a series on vibe coding.
At Dark Reading, Rob currently covers security operations, cloud security, and Internet infrastructure. He has a keen interest in malvertising activity and the certificate authority industry, and has written extensively on both topics. He graduated from the University of Richmond in 1997 with a degree in journalism and English. A native of Massachusetts, he lives in the Boston area.
Want more Dark Reading stories in your Google search results?
ADD US NOW
More Insights
Industry Reports
How Organizations Are Managing Incident Response
How Enterprises Are Developing Secure Applications
Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy
Essential News & Insights from Black Hat USA 2025
How Enterprises Are Harnessing Emerging Technologies in Cybersecurity
Access More Research
Webinars
Say Yes to AI: Securing Innovation Without Compromise
Zero Trust Identity: Beyond Traditional Authentication
Advanced Persistent Threats: A Practical Guide to Detection and Response
The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed
Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack
More Webinars
You May Also Like
CYBERATTACKS & DATA BREACHES
Critical Fortinet Flaws Under Active Attack
by Jai Vijayan, Contributing Writer
DEC 17, 2025
CYBERATTACKS & DATA BREACHES
CISA Warns of 'Ongoing' Brickstorm Backdoor Attacks
by Rob Wright
DEC 04, 2025
CYBERATTACKS & DATA BREACHES
F5 BIG-IP Environment Breached by Nation-State Actor
by Alexander Culafi
OCT 15, 2025
CYBERATTACKS & DATA BREACHES
Jaguar Land Rover Shows Cyberattacks Mean (Bad) Business
by Robert Lemos, Contributing Writer
OCT 03, 2025
Editor's Choice
APPLICATION SECURITY
FIFA Bug Exposes World Cup Streams to Remote Takeover
byNate Nelson
JUN 18, 2026
4 MIN READ
CYBERSECURITY OPERATIONS
EU Gets a Head Start in Developing 6G Network Security
byNate Nelson
JUN 18, 2026
4 MIN READ
CYBER RISK
UK Social Media Ban for Minors Has Privacy Experts Worried
byRobert Lemos
JUN 17, 2026
4 MIN READ
Want more Dark Reading stories in your Google search results?
Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.
SUBSCRIBE
AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS
The premier cybersecurity event returns.
GET YOUR PASS