Approximately two dozen Klue customers have now confirmed that their Salesforce instances were compromised in a supply chain attack that unfolded on June 11 and 12. Attackers gained access to the market intelligence platform Klue using legacy credentials, obtained OAuth tokens tied to customer integrations, and exfiltrated data in bulk before the intrusion was contained.

Salesforce disabled the Klue integration on June 17 and had not re-enabled it as of the time of reporting. Gong also disabled the integration. Confirmed affected organizations include AlertMedia, Blackbaud, Camunda, Cresta, Deel, Lucanet, Link11, and Tines, among others. Some Klue customers, such as Autodesk, were not impacted because they do not use the Salesforce integration.

Threat Actor Claims and Ransom Dynamics

Responsibility for the attack was claimed by a group calling itself Icarus, which listed Klue and several of its customers on a Tor-based leak site. The stolen data reportedly consists primarily of business contact and support information. Icarus threatened to publish the data unless a ransom was paid.

Klue publicly acknowledged the breach and stated it was investigating, but has not released further public updates. According to reporting by TechCrunch, Klue notified customers privately that it had been in contact with Icarus and that the threat actor began deleting the stolen data. The Icarus leak site has been offline for several days, suggesting negotiations may have concluded, possibly with a payment.

A Second Extortion Threat Emerges

The situation grew more complicated when Klue reportedly informed customers that Icarus had itself been compromised by a separate, unnamed threat actor. That group allegedly obtained sample data from Icarus and has launched its own extortion campaign against Klue customers.

  • The breach is said to affect 195 Klue customers in total.
  • The second group reportedly possesses only sample data, not the full exfiltrated dataset.
  • No known extortion group beyond Icarus has publicly claimed possession of data from the Klue incident.

Klue has hundreds of customers, and the full scope of the incident may not yet be known. SecurityWeek reported that it reached out to Klue for comment and would update its coverage upon response. Security teams at affected organizations should treat this as an active, multi-party extortion situation and verify the scope of any Salesforce or OAuth integration exposure tied to the Klue platform.