LastPass, BeyondTrust, and Others Confirm Data Theft in Klue-Salesforce Supply Chain Attack

LastPass, BeyondTrust, and at least 13 other organizations have confirmed that customer data was stolen from their Salesforce instances after a supply chain attack on Klue, a market intelligence platform. The breach, disclosed on June 24, 2026, involved a threat actor named Icarus who used a compromised legacy credential to access Klue's systems and generate OAuth tokens.

According to SecurityWeek, Icarus then used automated scripts to access the connected Salesforce instances and exfiltrate data in bulk. Salesforce and Gong have disabled the Klue integration in response. Over a dozen organizations have already confirmed impact, including HackerOne, Huntress, Insurity, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, Tanium, 8x8, and Pendo.

What Data Was Stolen and What Was Not

LastPass stated that the accessed information was limited to standard business contact information and CRM data, including customer names, phone numbers, email addresses, physical addresses, support case data, and sales-related data. The company emphasized that its products, services, and infrastructure were not impacted, and customer vaults remain secure. There is no evidence the threat actor accessed any Gong-related data.

BeyondTrust also confirmed that business contact and sales-related information was stolen from its Salesforce instance. The company's notification initially went unnoticed. Huntress estimates that numerous other Klue customers were likely impacted and are expected to come forward.

• Threat actor Icarus used a compromised legacy credential to access Klue's systems.
• OAuth tokens were generated to breach third-party platforms like Salesforce.
• Automated scripts exfiltrated data in bulk from connected Salesforce instances.
• Salesforce and Gong disabled the Klue integration in response.
• Icarus's Tor-based leak site listed at least four other companies that have yet to publicly disclose being affected.

Broader Implications and Next Steps

The attack highlights the risks of third-party integrations and the cascading effects of supply chain breaches. LastPass has discontinued access to Klue, rotated exposed tokens, notified law enforcement, and launched an investigation together with Klue and Salesforce. The company advised customers to be vigilant for phishing attempts and to monitor their accounts for suspicious activity.

As of now, Icarus's website is down, but before becoming inaccessible, it listed at least four other companies that have yet to publicly disclose being affected, bringing the number of victims to roughly 15. The incident underscores the need for organizations to regularly audit third-party integrations and enforce strict access controls to mitigate supply chain risks.