Home / The Long Read / Research
Long Read

Klue OAuth breach: how one connected app exposed CRM data at Huntress, Jamf and other customers

The Icarus extortion group stole the OAuth tokens Klue held for its customers and used them to take data from those customers' own Salesforce and Gong accounts. For third-party risk teams the lesson is fourth-party risk: a connected SaaS app can turn a supplier's breach into your data loss.

Klue OAuth breach: how one connected app exposed CRM data at Huntress, Jamf and other customers
TL;DR

The Icarus extortion group stole the OAuth tokens Klue held for its customers and used them to take data from those customers' own Salesforce and Gong accounts. For third-party risk teams the lesson is fourth-party risk: a connected SaaS app can turn a supplier's breach into your data loss.

A competitive-intelligence tool became the way into the customer data of dozens of companies at once. In June 2026 the extortion group Icarus used a stolen legacy credential (an old but still-valid access key) to reach the integration systems of Klue, an add-on that connects to Salesforce and Gong. It then harvested the OAuth tokens Klue held for its customers. An OAuth token is the standing permission one app keeps to act inside another, so those tokens opened each customer's own Salesforce and Gong records without a password. Named victims include Huntress, Jamf, Recorded Future, Tanium, Insurity and Sprout Social. No customer login was broken. The weak link was a connected third-party app, and its risk lived in a token, not a contract.

Klue OAuth breach (June 2026): the exposure path One connected app held standing keys to many customers' CRM data. When the app was breached, the keys were taken. Icarus extortion group active since Apr 2026 stolen legacy credential Klue Salesforce + Gong integration (SaaS add-on) OAuth token vault standing keys to each customer's Salesforce and Gong data attacker pushes code to harvest tokens valid OAuth tokens, no password needed Downstream customers exposed Huntress . Jamf . Recorded Future Tanium . Insurity . Sprout Social and other Klue customers (list still growing) Data taken from their own Salesforce and Gong records: business contacts, sales communications, pricing and opportunity notes. Extortion emails follow: "48 hours to communicate with us" Fourth-party risk, in one line: Your CRM data can leave through a supplier's connected app, using an access key you granted once and stopped tracking. The customer login is never broken. The standing OAuth token is what the attacker takes. Sources: BleepingComputer, The Hacker News, ReliaQuest, Obsidian Security. Draft diagram for Breach Wire, Supplier Shield.

What happened

Klue confirmed it found unauthorised activity in its integration infrastructure on 12 June 2026 and disabled the affected OAuth credentials and integrations the next day, according to reporting by BleepingComputer and The Hacker News. Analysts at ReliaQuest and Obsidian Security link the intrusion to Icarus, an extortion group active since April 2026. The attackers used a legacy credential to enter Klue's systems, pushed a code change that collected the OAuth tokens Klue stored for its customers, and used those tokens to pull data from customer Salesforce and Gong environments. Because a token works until it is revoked, the theft rode on standing access rather than a cracked password.

The stolen material is described as business contacts, sales communications, pricing information and opportunity notes. On or around 16 June 2026, Icarus began sending extortion emails that gave recipients 48 hours to make contact. Klue says it revoked the affected tokens and credentials, removed the unauthorised code, engaged the incident-response firm CrowdStrike and notified law enforcement. Salesforce disabled the Klue integration on its own platform while the matter is investigated. The list of named customers, which includes Huntress, Jamf, Recorded Future, Tanium, Insurity and Sprout Social, has continued to grow as more disclosures arrive.

Why it matters for third-party risk

Strip away the names and the pattern is familiar, but the door is a new one. The same shape appeared days earlier in the Oracle PeopleSoft zero-day, where one shared platform exposed more than a hundred organisations at once. Every SaaS-to-SaaS integration a company approves hands a third-party app a durable key to its data. That key sits inside the supplier, not inside your own walls, and it usually outlives the reason it was granted. When the supplier is breached, the key is what the attacker takes. This is fourth-party risk in practice: your Salesforce data can leave through a vendor you may have onboarded years ago and stopped thinking about.

Vendor registers rarely capture this. A tool such as Klue is easy to miss because it is small, it was often approved by a sales team rather than security, and its risk lives in an access token, not in a signed contract. For firms in scope of the EU Digital Operational Resilience Act (DORA) or the NIS2 directive, connected SaaS apps with standing access to core data are exactly the kind of ICT and fourth-party dependency both regimes expect organisations to identify and control.

What teams should take from it

Two moves are worth making now. First, inventory the OAuth integrations connected to your core platforms, Salesforce, Google Workspace, Microsoft 365 and the like, and revoke any that are stale, over-scoped or unowned. A connected app that no one remembers approving is precisely the Klue scenario. Second, treat token hygiene as a measured control: prefer short-lived tokens, scope them to the minimum data needed, and watch for unusual data pulls through integration accounts rather than user logins, because that is where this theft hid. If the worst happens, a rehearsed breach response plan decides how fast the exposure is contained.

For third-party risk teams, this is where continuous vendor monitoring earns its place over a yearly questionnaire, because a connected app can turn from convenience to breach in a single day.

FAQ

What is the Klue breach?

Klue is a competitive-intelligence tool that connects to Salesforce and Gong. In June 2026 attackers stole the OAuth access tokens Klue held for its customers and used them to take data from those customers' own Salesforce and Gong accounts. The extortion group Icarus has claimed the activity.

Why is this a third-party incident and not a normal breach?

Customers were not compromised through their own logins. They were exposed through a connected third-party app that held standing access to their data. One supplier's compromise reached many downstream customers at once, which is the defining feature of SaaS supply-chain and fourth-party risk. For the fundamentals, see what third-party risk management covers.

What should companies using Salesforce or Gong do now?

Review and revoke connected app integrations you do not actively need, rotate and re-scope the OAuth tokens that remain, and check integration activity logs for unusual data access dating back to early June 2026.

What to do next

Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.

Read next

KDDI email breach: how one shared email platform exposed up to 14.2 million logins across six ISPs

KDDI email breach: how one shared email platform exposed up to 14.2 million logins across six ISPs

One email platform run by KDDI exposed the logins of up to 14.2 million customers across six Japanese internet providers. The lesson for third-party risk teams is concentration and fourth-party risk: many brands on one shared supplier system, breached through a third-party software flaw.

Read article
iRhythm breach: how patient data left through third-party-hosted business apps

iRhythm breach: how patient data left through third-party-hosted business apps

Cardiac-monitoring firm iRhythm says attackers took patient health data, proprietary data and personal information from third-party-hosted business applications, not from its clinical systems. For third-party risk teams the lesson is that regulated data often lives with a vendor, and that is where it leaves.

Read article
Vendor due diligence: the 2026 checklist for regulated teams

Vendor due diligence: the 2026 checklist for regulated teams

A practical vendor due diligence checklist for 2026, tiered by risk and mapped to what DORA, NIS2, and GDPR now expect, including the fourth-party checks most teams skip.

Read article
Klue OAuth breach exposes Salesforce CRM data | Breach Wire | Supplier Shield