More Klue Breach Victims Identified as Hackers Get Hacked

Roughly two dozen Klue customers have come forward and confirmed that their Salesforce instances were compromised in a supply chain attack earlier this month. The attack unfolded between June 11 and 12, when hackers used compromised legacy credentials to access the market intelligence platform Klue, obtain OAuth tokens for customers’ Klue integrations, and exfiltrate data in bulk. Salesforce disabled the Klue integration on June 17, and its status page shows it has yet to re-enable it. Gong also disabled the integration. The list of impacted organizations also includes AlertMedia, Blackbaud (requires authentication), Camunda, Cresta, Deel, Lucanet, Link11, and Tines. Klue has hundreds of customers and the blast radius could be wider, but SecurityWeek has not seen other notifications regarding the incident. It should also be noted that some Klue customers, such as Autodesk, might not use the Salesforce integration with Klue and were not affected. The attack was claimed by a threat actor named Icarus, which added Klue and several of its customers to a Tor-based leak site, threatening to leak the stolen information – mainly business contact and support data – unless a ransom was paid. Klue confirmed the data breach on Monday, saying it was investigating it, but has yet to publicly share updates on the findings. In the meantime, however, the market research firm has notified its customers privately that it has been in contact with the threat actor, which started deleting the stolen data, TechCrunch reports. Icarus’s leak site has been unavailable for the past couple of days, likely as a result of the negotiations with Klue, which suggests that the company might have paid up. Additionally, Klue reportedly told customers that Icarus themselves were hacked, and that the stolen data is now in the hands of another threat actor, which is running its own extortion campaign. The incident allegedly affects 195 Klue customers, but the second group supposedly stole only sample data from Icarus. No known extortion group other than Icarus appears to have publicly claimed possession of data stolen during the Klue incident. SecurityWeek has emailed Klue for a statement and will update this article if the company responds. Related: Canadian Electricity Provider London Hydro Discloses Data Breach Related: Xsolis Data Breach Affects 1.4 Million Individuals Related: Texas Parks & Wildlife Data Breach Affects 3 Million Individuals Related: Kodak Admits Data Breach After ShinyHunters Hack Claims WRITTEN BY Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. More from Ionut Arghire Runlayer Raises $30 Million in Series A Funding GitLab Patches Code Execution, Information Disclosure Vulnerabilities 25-Year-Old Vulnerability Patched in Curl NIST Opens Updated IoT Security Guidance to Public Review Chrome 149 Update Resolves 18 Severe Vulnerabilities Critical Ubiquiti Vulnerabilities in Attackers’ Crosshairs New ‘Mistic’ RAT Opens Door to Several Ransomware Families Exploitable CI/CD Vulnerabilities Expose Millions of Repositories to Hijacking Latest News Amazon Q Flaw Enabled Cloud Credential Theft via Malicious Repositories In Other News: Chinese Mythos-Like AI, Tata Electronics Breach, Snyk Layoffs Nebulock Raises $25 Million for AI-Native Contextual Security Linux Foundation Unveils New Open Source Security Project Akrites $3 Million Reportedly Stolen in Polymarket Hack Russian APT Deploys ‘StockStay’ Backdoor Against Ukrainian Targets First-Ever Exploitation of PTC Windchill Vulnerability Discovered in the Wild New Enterprise-Ready MCP Specification Brings New Security Challenges Trending Webinar: Why Email Security Keeps Failing (And What Has To Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the Move Mark Carter has been appointed Chief Information Security Officer at Socure. Spektrum Labs has named Mark Cravotta Chief Operating Officer. Philip Martin has joined Uber as Chief Information Security Officer. More People On The Move Expert Insights When Information Becomes The Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What The Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told The Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Email