Klue OAuth Breach — One Legacy Credential, Nine Security Vendors Compromised
The security vendor you trust just got hacked — and took nine of its customers with it.
The Icarus extortion group compromised Klue, a competitive intelligence platform. They didn’t need a zero-day. They found a single legacy credential, got into Klue’s backend, and pushed a code update that silently harvested OAuth tokens for every active customer integration. Salesforce. Slack. HubSpot. Zoom. Google Drive. SharePoint. All disabled at once.
The confirmed victim list includes Huntress, Recorded Future, Tanium, Jamf, Snyk, HackerOne, and OneTrust. Security firms — companies whose entire business is defending others — lost their CRM data, sales pipelines, pricing intelligence, and account notes to a threat actor that never touched their own environment.
From Salesforce’s perspective, the requests were entirely legitimate. The OAuth tokens were valid. There was no anomaly to detect because the attacker was operating as Klue.
This is the 15th supply chain attack in the 2026 arc tracked since January. Every single one before it targeted a code artifact. This one targeted the integration layer — the trusted connections between your business software.
What to do now: Audit every OAuth app connected to your Salesforce, Slack, and Google Workspace. Enforce just-in-time access provisioning. Rotate credentials for any integration not reviewed in the last 90 days. Ask your vendors: what happens to our OAuth tokens if you get breached?
For those who want a deeper dive into this topic:
