Klue, which provides competitive intelligence services, has been implicated in a supply chain compromise as an example of how trusted third-party integrations can lead to high-impact attacks on enterprise systems. As a consequence of the incident, which occurred on June 11, unauthorized access to Klue's backend infrastructure allowed threat actors to deploy malicious code designed to harvest authentication tokens related to customer integrations, resulting in the theft of customer authentication tokens.
Security firms Huntress and Recorded Future confirmed that they were among the organizations affected by the breach, which has drawn attention across the cybersecurity industry. In addition, investigations found that the attackers accessed and extracted customer data through connected business platforms by leveraging compromised integrations.
An interconnected SaaS ecosystems present significant risks, where a single compromise can rapidly extend beyond the initial target and affect multiple downstream organizations, thereby increasing the risk associated with the ecosystem.
In addition, details indicate that the compromise went beyond Klue's internal environment and into customer-connected cloud platforms via an unlawfully accessed legacy integration credential.
Threat actors accessed Salesforce instances by leveraging the credential on June 12 to synchronize customer data across linked cloud environments, leading to unauthorized access to customer information.
Despite the fact that Klue has not revealed the exact number of individuals or organizations affected, multiple organizations, including Gong, Jamf, HackerOne, Insurity, OneTrust, Snyk, Sprout Social, Tanium, Huntress, and Recorded Future, have acknowledged exposure.
As a result of the hacking, the cybercrime group Icarus has claimed responsibility for the incident. If a ransom demand is not met, the stolen data will be released publicly.
According to preliminary assessments, the accessed records primarily contain business-related information about customers, such as names, e-mail addresses, phone numbers, job titles, and some account details.
There has been an increasing trend for threat actors to target middleware and integration providers as strategic aggregation points, leading to a single compromised credential or service connection being used as a gateway into the cloud data environments of many downstream companies.
According to Klue, CrowdStrike has been engaged as part of its response efforts, and affected integrations have been suspended while containment and forensic investigations are ongoing. As containment efforts progressed, the operation footprint of the intrusion became increasingly apparent.
Upon discovering the compromise, Klue revoked all customer OAuth tokens and suspended integrations with various enterprise platforms, such as Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack, as a means to prevent further unauthorized activity from taking place.
Upon further investigation, it was discovered that the attackers had used compromised integration access to extract extensive data through Salesforce's REST API by leveraging compromised integration access. ReliaQuest researchers observed unusually high volumes of CRM queries over a 24-hour period. These included a concentrated burst of nearly 1,000 requests within 15 minutes and sustained extraction activity that lasted over six hours.
Salesforce mentioned that the findings caused the application Klue Battlecards to be disabled on June 17 as a result of abnormal behavior that might have exposed customer information.
Huntress reported that among those organizations publicly confirming impact, accessed records contained only business-facing information like contact information, quotations, and sales communications. There was no evidence that threat intelligence, authentication credentials, payment information, or product engineering systems were exposed.
Recorded Future stated in a similar manner that the incident affected specific customer and contractual data fields, but not its internal infrastructure and critical operational environments. According to the investigators, the activity was confined to Klue-Salesforce integration rather than the affected companies' networks, distinguishing the incident from broader enterprise compromises.
In addition, Huntress reported receiving extortion messages from an individual whose communications referenced identifiers previously associated with the Icarus extortion group.
A combination of the stolen datasets and material advertised on the Icarus-operated leak infrastructure has strengthened industry assessments linking the group to the attack, however, the intrusion appears to be distinct from other campaigns attributed to actors such as ShinyHunters or UNC6395 that were previously attributed to the group.
This incident serves as another reminder that modern cybersecurity risks extend beyond an organization's own perimeter and into a wider ecosystem of trusted applications, integrations, and service providers.
A growing number of attackers are focusing on high value aggregation points within interconnected cloud environments, increasing the need for security teams to strengthen oversight of third-party access, continuously monitor privileged integrations, and swiftly revoke exposed credentials when suspicious activity occurs.
The investigation into the breach is ongoing, but the event underscores the necessity of making supply chain security a core part of enterprise security rather than a secondary risk, especially because a single compromised connection can create consequences across multiple organizations simultaneously.
