Klue Breach Blast Radius Widens as Second Hacker Group Enters the Fray

Roughly two dozen companies have confirmed that their Salesforce instances were compromised in a supply chain attack on Klue, a market intelligence platform, in an incident that began June 11. The attackers used stolen legacy credentials to access Klue, obtained OAuth tokens tied to customers' Salesforce integrations, and exfiltrated data in bulk before Salesforce disabled the integration on June 17.

SecurityWeek reported on June 26 that the known victim list includes AlertMedia, Blackbaud, Camunda, Cresta, Deel, Lucanet, Link11, and Tines. Gong also disabled its Klue integration. The threat actor, going by the name Icarus, posted Klue and several of its customers to a Tor-based leak site and demanded a ransom to prevent public release of stolen business contact and support data.

How the Attack Unfolded

The breach occurred over a single 24-hour window on June 11-12. The attackers compromised legacy credentials for Klue, an internal platform used by hundreds of enterprises for competitive intelligence. The OAuth tokens that Klue maintained for its customer integrations allowed the attackers to reach directly into victims' Salesforce environments. Klue has hundreds of customers, and the full blast radius remains unknown.

• Salesforce disabled the Klue integration on June 17 and has not yet re-enabled it as of this report.
• Gong also disabled its Klue integration in response to the incident.
• Icarus's leak site has been offline for several days, likely indicating active negotiations with Klue or that a ransom was paid.
• Klue reportedly told customers that Icarus themselves were hacked by a second group, which now holds sample data and is running its own extortion campaign.
• The incident allegedly affects 195 Klue customers, though no group other than Icarus has publicly claimed possession of the stolen data.

Broader Trust Issues With Automated Security Tools

While the Klue incident highlights the risk of third-party integrations, a survey from TechRadar Pro published in the same period reveals that less than one in ten cybersecurity professionals trust AI-based testing tools to find vulnerabilities. Over three-quarters of respondents said their AI vulnerability scanning tools missed critical flaws. The research indicates that fully automated testing is being replaced with a hybrid model where human expertise remains foundational.

Separately, Meta has been testing facial recognition capabilities for police and military use, working with a Pentagon supplier on eyeglasses that can identify individuals in real time. The combination of these stories points to a cybersecurity landscape where both supply chain attacks and confidence in automation are under strain.

Klue has not publicly updated its investigation findings since the initial confirmation. The company continues to communicate with affected customers as a second group of attackers threatens to compound the damage from the original breach.