
The Icarus extortion group stole the OAuth tokens Klue held for its customers and used them to take data from those customers' own Salesforce and Gong accounts. For third-party risk teams the lesson is fourth-party risk: a connected SaaS app can turn a supplier's breach into your data loss.
A competitive-intelligence tool became the way into the customer data of dozens of companies at once. In June 2026 the extortion group Icarus used a stolen legacy credential (an old but still-valid access key) to reach the integration systems of Klue, an add-on that connects to Salesforce and Gong. It then harvested the OAuth tokens Klue held for its customers. An OAuth token is the standing permission one app keeps to act inside another, so those tokens opened each customer's own Salesforce and Gong records without a password. Named victims include Huntress, Jamf, Recorded Future, Tanium, Insurity and Sprout Social. No customer login was broken. The weak link was a connected third-party app, and its risk lived in a token, not a contract.
What happened
Klue confirmed it found unauthorised activity in its integration infrastructure on 12 June 2026 and disabled the affected OAuth credentials and integrations the next day, according to reporting by BleepingComputer and The Hacker News. Analysts at ReliaQuest and Obsidian Security link the intrusion to Icarus, an extortion group active since April 2026. The attackers used a legacy credential to enter Klue's systems, pushed a code change that collected the OAuth tokens Klue stored for its customers, and used those tokens to pull data from customer Salesforce and Gong environments. Because a token works until it is revoked, the theft rode on standing access rather than a cracked password.
The stolen material is described as business contacts, sales communications, pricing information and opportunity notes. On or around 16 June 2026, Icarus began sending extortion emails that gave recipients 48 hours to make contact. Klue says it revoked the affected tokens and credentials, removed the unauthorised code, engaged the incident-response firm CrowdStrike and notified law enforcement. Salesforce disabled the Klue integration on its own platform while the matter is investigated. The list of named customers, which includes Huntress, Jamf, Recorded Future, Tanium, Insurity and Sprout Social, has continued to grow as more disclosures arrive.
Why it matters for third-party risk
Strip away the names and the pattern is familiar, but the door is a new one. The same shape appeared days earlier in the Oracle PeopleSoft zero-day, where one shared platform exposed more than a hundred organisations at once. Every SaaS-to-SaaS integration a company approves hands a third-party app a durable key to its data. That key sits inside the supplier, not inside your own walls, and it usually outlives the reason it was granted. When the supplier is breached, the key is what the attacker takes. This is fourth-party risk in practice: your Salesforce data can leave through a vendor you may have onboarded years ago and stopped thinking about.
Vendor registers rarely capture this. A tool such as Klue is easy to miss because it is small, it was often approved by a sales team rather than security, and its risk lives in an access token, not in a signed contract. For firms in scope of the EU Digital Operational Resilience Act (DORA) or the NIS2 directive, connected SaaS apps with standing access to core data are exactly the kind of ICT and fourth-party dependency both regimes expect organisations to identify and control.
What teams should take from it
Two moves are worth making now. First, inventory the OAuth integrations connected to your core platforms, Salesforce, Google Workspace, Microsoft 365 and the like, and revoke any that are stale, over-scoped or unowned. A connected app that no one remembers approving is precisely the Klue scenario. Second, treat token hygiene as a measured control: prefer short-lived tokens, scope them to the minimum data needed, and watch for unusual data pulls through integration accounts rather than user logins, because that is where this theft hid. If the worst happens, a rehearsed breach response plan decides how fast the exposure is contained.
For third-party risk teams, this is where continuous vendor monitoring earns its place over a yearly questionnaire, because a connected app can turn from convenience to breach in a single day.
FAQ
What is the Klue breach?
Klue is a competitive-intelligence tool that connects to Salesforce and Gong. In June 2026 attackers stole the OAuth access tokens Klue held for its customers and used them to take data from those customers' own Salesforce and Gong accounts. The extortion group Icarus has claimed the activity.
Why is this a third-party incident and not a normal breach?
Customers were not compromised through their own logins. They were exposed through a connected third-party app that held standing access to their data. One supplier's compromise reached many downstream customers at once, which is the defining feature of SaaS supply-chain and fourth-party risk. For the fundamentals, see what third-party risk management covers.
What should companies using Salesforce or Gong do now?
Review and revoke connected app integrations you do not actively need, rotate and re-scope the OAuth tokens that remain, and check integration activity logs for unusual data access dating back to early June 2026.
Want this applied to your supplier ecosystem? See the platform in action and map your top vendor risks live in one walkthrough.


