🔐 The Klue Breach: How Cyber Guardians Got Hacked

When a Forgotten Token Opens the Gates of Hell

On June 18, 2026, the security team at Huntress noticed something unusual in their Salesforce environment. What initially appeared to be a minor anomaly quickly escalated into one of the most sophisticated supply chain attacks in the history of the cybersecurity industry. The story begins with Klue, a competitive intelligence platform used by hundreds of major enterprises to analyze market data and manage customer information.

Hackers gained access to Klue's infrastructure using a "legacy credential" that had been shared with a vendor years ago and was never revoked. This credential, likely a GitHub Personal Access Token (PAT), allowed the attackers to infiltrate Klue's internal systems and steal OAuth tokens that customers had used to connect Klue to Salesforce and other third-party platforms.

The implications were staggering. With these stolen OAuth tokens, the attackers could impersonate Klue and access the Salesforce environments of hundreds of organizations without triggering traditional security alerts. This wasn't a brute force attack or a sophisticated exploit of a zero-day vulnerability. It was something far more insidious: the weaponization of legitimate access credentials that had been forgotten in the chaos of everyday operations.

The Icarus Playbook: From Initial Access to Data Exfiltration

The Icarus group, which has claimed responsibility for this attack, demonstrated remarkable planning and execution. After gaining initial access to Klue through the legacy credential, the attackers pushed a malicious code update to Klue's environment. This code was specifically designed to capture OAuth tokens used for third-party platform connections.

According to security researchers, the attack unfolded in multiple carefully orchestrated stages. First, the attackers conducted reconnaissance to identify which customer environments would yield the most valuable data. Then, using automated Python scripts, they began querying the Salesforce REST API of target organizations. The activity continued for approximately 24 hours before being detected and contained.

During this window, the hackers accessed sensitive business data including customer contacts, sales communications, pricing information, and opportunity notes. What makes this particularly concerning is that all of this activity appeared completely legitimate from a technical standpoint. The API calls were made using valid OAuth tokens, came through expected IP ranges associated with Klue, and followed normal usage patterns—at least initially.

The Victims: Companies That Teach Others About Security

The irony of this incident cannot be overstated. The victims of this attack are companies that educate others about cybersecurity best practices. Among the confirmed victims are:

Huntress has been particularly transparent about the incident, publishing a detailed technical analysis. As a leading Managed Detection & Response (MDR) provider, Huntress helps thousands of organizations detect and respond to cyber threats. Their decision to publicly acknowledge the breach and share detailed information demonstrates industry-leading transparency.

HackerOne, the world's largest bug bounty platform where ethical hackers help companies find vulnerabilities, also confirmed they were impacted. The platform facilitates over $100 million in bounty payments annually and serves as a critical bridge between the security research community and enterprises.

Jamf specializes in Apple device management and security for enterprises. With over 70,000 customers globally, Jamf helps organizations secure millions of Macs, iPads, iPhones, and Apple TVs.

Recorded Future is a threat intelligence leader that helps organizations understand and mitigate cyber threats. Their platform aggregates and analyzes data from hundreds of sources to provide actionable intelligence.

Tanium provides endpoint management and security solutions to some of the world's most security-conscious organizations, including multiple U.S. government agencies and Fortune 100 companies.

Additional victims include Snyk (DevSecOps platform), OneTrust (privacy and governance leader), Gong (revenue intelligence), Sprout Social (social media management), and Insurity (insurance software). The breadth of affected companies—spanning cybersecurity, SaaS, and enterprise software—demonstrates the scale of this supply chain attack.

Why This Attack is Different

The Klue incident is part of a broader wave of OAuth-based attacks that we've witnessed in 2025 and 2026. Previously, platforms like Salesloft Drift and Gainsight fell victim to similar attacks executed by groups like ShinyHunters. However, the Klue breach stands apart for several critical reasons.

First, the targeting of cybersecurity companies represents a bold escalation. These organizations typically operate at the forefront of security, employing advanced detection and response techniques. The fact that even these companies fell victim to a supply chain attack demonstrates both the sophistication of modern threats and the inherent vulnerabilities in third-party integrations.

Second, the attack methodology reveals an evolution in attacker tactics. Rather than attempting to breach each target organization individually, the Icarus group identified a high-value integration point and exploited it to gain access to hundreds of targets simultaneously. This "one-to-many" approach dramatically increases the return on investment for attackers while reducing their exposure to detection.

Third, the use of legitimate OAuth tokens meant that the malicious activity blended in with normal operations. Traditional security tools that look for suspicious authentication attempts, brute force attacks, or exploitation of known vulnerabilities would have seen nothing amiss. The attackers weren't breaking in through the front door—they were using a valid key that had been forgotten in the lock.

Salesforce and Klue's Response: Late but Necessary

Following the discovery of the breach, Salesforce acted swiftly to disable Klue's application integration on their platform. This prevented further unauthorized access, but the damage had already been done. Jason Smith, CEO of Klue, issued a statement: "The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments."

Klue emphasized that it has taken immediate action to protect customers and is cooperating with law enforcement and cybersecurity experts. However, the company has not yet disclosed the exact number of affected customers. While Klue serves hundreds of enterprise clients, reports suggest that over 700 organizations may have been exposed in this attack.

The response timeline reveals critical lessons about detection and containment. The malicious activity began in early June, but wasn't detected until June 18 when Huntress and ReliaQuest noticed suspicious API access patterns. This nearly two-week window gave attackers ample time to map environments and exfiltrate data. By the time Klue was notified on June 19, the attackers had already extracted significant amounts of information.

Tekin Analysis: Why Legacy Credentials Have Become a Security Nightmare

This attack delivers a critical lesson for all organizations: credential lifecycle management is not optional—it's essential. Based on security analysis, the forgotten credential used in this attack was likely a GitHub Personal Access Token (PAT) shared with a vendor years ago and never revoked.

This scenario repeats itself across countless organizations. Developers, in an effort to move quickly, share credentials with vendors or external tools. But there's rarely a systematic process for revoking these credentials when a project ends or when vendors change. The result? A security time bomb that might explode years later.

Consider the typical lifecycle of a GitHub PAT in many organizations. A developer creates a token with broad permissions to integrate with a vendor's service. The integration works perfectly. The project ships. Everyone moves on to the next priority. The token? It sits there, quietly providing access, often with no expiration date. No one remembers it exists. No monitoring system tracks it. And one day, an attacker finds it—perhaps in a compromised vendor system, perhaps in a misconfigured repository, perhaps through social engineering.

The Threat Landscape: The New Era of OAuth-Based Attacks

The Klue breach exemplifies a dangerous trend we've observed over the past two years. Attackers have realized that instead of directly hacking a company, they can target vendors and third-party integrations to access sensitive data. This approach offers several advantages for attackers:

Scalability: By compromising one vendor, attackers can potentially access hundreds or thousands of downstream organizations. This multiplier effect dramatically increases the value of a single successful breach.

Lower Detection Rate: When malicious activity originates from a trusted vendor's infrastructure using legitimate credentials, it appears completely normal to security systems. There's no suspicious failed login attempt, no unusual IP address, no malware signature to detect.

Legitimate Appearance: Using valid OAuth tokens means the traffic looks entirely legitimate. API rate limits, behavioral analysis, and other security controls see nothing unusual because the activity is technically authorized.

Persistent Access: Many OAuth tokens have no expiration date. They remain valid indefinitely until manually revoked, providing attackers with a durable foothold that can survive password resets and other security measures.

Broad Permissions: OAuth tokens often have overly permissive scopes. A token granted for a specific integration purpose might have access to far more data than necessary, and attackers can exploit this over-provisioning.

Security Lessons for Organizations

This incident offers several critical lessons for organizations, regardless of their industry or size. Let's examine each in detail:

1. Zero Trust Cannot Be Just a Buzzword: The Zero Trust security model is often discussed but rarely fully implemented. In a true Zero Trust architecture, every integration and third-party app would be continuously verified and monitored with the same skepticism applied to a new, unverified user. No access should remain unmonitored or unvalidated, regardless of how long it has been in place or how trusted the source appears.

Implementing Zero Trust for OAuth specifically means treating every token as potentially compromised. This requires continuous behavioral analysis, anomaly detection, and real-time verification that access patterns match expected behavior. It also means regular re-authorization ceremonies where integrations must prove they still need the access they have.

2. Security Hygiene Must Be a Habit, Not a Project: Many organizations approach security as a series of projects: "We're going to audit our OAuth grants this quarter." But credential management cannot be a one-time effort. It must become part of the daily rhythm of DevOps and SecOps teams.

This means building security checks into CI/CD pipelines, automating credential rotation, and creating friction-free processes for developers to do the right thing. When creating a new credential requires filling out a 10-page form, developers will find workarounds. When the secure path is also the easiest path, adoption follows naturally.

3. Transparency in Breaches Matters: Huntress's approach to publicly sharing detailed information about the attack sets an important precedent. While many organizations try to minimize disclosure out of fear of reputational damage, this transparency actually benefits the entire industry by enabling collective learning.

When companies share tactics, techniques, and procedures (TTPs) used in attacks against them, they help others defend against similar threats. When they hide breaches or minimize disclosure, they ensure that other organizations will make the same mistakes. The security community's effectiveness depends on information sharing.

4. Even Security Vendors Are Vulnerable: This attack serves as a humbling reminder that no organization, not even those specializing in cybersecurity, can consider themselves 100% secure. Security is not a state you achieve—it's an ongoing process of improvement, adaptation, and vigilance.

For CISOs and security leaders, this means maintaining organizational humility. Overconfidence in your security posture is dangerous. The most secure organizations are those that assume breach, plan for failure, and maintain robust incident response capabilities alongside their preventive controls.

5. Supply Chain Security Requires a Holistic Approach: You cannot secure your organization by only securing your own systems. In today's interconnected ecosystem, you must also consider the security posture of every vendor, integration, and third-party service you use. This is exponentially more complex than traditional perimeter security, but it's unavoidable.

Meet Icarus: The New Player in the Ransomware Scene

The Icarus group, which has claimed responsibility for this attack, represents a relatively new player in the ransomware and data extortion landscape. Unlike established ransomware groups like LockBit or BlackCat that encrypt systems and demand payment for decryption keys, Icarus focuses primarily on data theft and extortion through threatened disclosure.

Security analysts at Huntress have identified Icarus with high confidence as a new operation that has borrowed from the playbooks of previous groups like ShinyHunters, but operates with distinct tactics. What sets Icarus apart is their targeting of high-profile cybersecurity companies—a move that generates significant media attention and potentially increases pressure on victims to pay.

The name "Icarus" itself carries symbolic weight. In Greek mythology, Icarus flew too close to the sun with wings made of wax and feathers, leading to his downfall. Whether the group chose this name to suggest their audacity in targeting cybersecurity firms, or whether it reflects a recognition of the risks they're taking, remains unclear. What is clear is that their tactics have proven effective.

Unlike ransomware groups that make loud, public declarations and operate marketplaces on the dark web, Icarus appears to operate more quietly, focusing on targeted extortion of specific victims rather than mass campaigns. Their selection of Klue as an attack vector demonstrates sophisticated reconnaissance and understanding of supply chain relationships.

Industry Impact: Trust Under Question

One of the most significant consequences of this attack is its impact on trust in cybersecurity companies. When the organizations that are supposed to protect others from cyber threats become victims themselves, it raises serious questions about the security standards of the entire industry.

However, it's important to recognize that this attack doesn't necessarily reflect weakness in these specific companies. Rather, it demonstrates the increasing complexity of supply chain attacks and the inherent challenges in securing third-party integrations. Even organizations with the highest security standards cannot fully protect themselves from threats originating from vendors and third-party services—unless they adopt a more comprehensive approach to managing these relationships.

The incident has sparked important conversations within the cybersecurity community about vendor risk management, OAuth security, and the responsibilities of integration platforms. Some key questions being debated include:

• Should integration platforms like Klue be held to higher security standards given their position in the supply chain?
• Do OAuth authorization flows need fundamental redesigns to prevent token theft from becoming such an effective attack vector?
• Should there be regulatory requirements for credential lifecycle management?
• How can organizations balance the convenience of integrations with security requirements?

Immediate Recommendations for Security Leaders (CISOs)

If you're a CISO or security leader, this attack should trigger several immediate actions. Here's a prioritized action plan:

Immediate (Within 24 Hours): Audit All Active OAuth Grants
Examine every third-party application connected to Salesforce, Microsoft 365, Google Workspace, and other critical systems. For each integration, ask: Is it still necessary? Does anyone remember authorizing it? What permissions does it have? When was it last used? Create a spreadsheet documenting every OAuth grant, including the application name, permissions granted, date created, last active date, and business justification.

Immediate (Within 24 Hours): Review API Access Logs
Look for unusual patterns in API access to CRM and business systems. Pay particular attention to bulk data extraction, access during unusual hours, or API calls from unexpected geographic locations. Focus on the period from June 10-22, 2026, but expand your review to cover the past 90 days.

Short-term (Within 1 Week): Implement OAuth Token Monitoring
Deploy tools that can detect suspicious OAuth token activity in real-time. This should include anomaly detection for access patterns, geographic location checks, volume monitoring, and behavioral analysis. Set up alerts for bulk data access, unusual API call patterns, and access from new IP ranges.

Short-term (Within 2 Weeks): Revoke Unnecessary Integrations
Based on your OAuth audit, revoke all unnecessary or unrecognized integrations. For critical integrations, implement token rotation. Even if you don't suspect compromise, proactive rotation reduces risk. Document the rotation schedule and create automated reminders.

Medium-term (Within 1 Month): Plan for Credential Lifecycle Management
Create a systematic process for creating, rotating, and revoking all organizational credentials. This should include API keys, service accounts, OAuth tokens, and any other form of automated access. Implement a centralized credential management system with automated expiration and renewal workflows.

Medium-term (Within 2 Months): Enhance Vendor Risk Management
Develop a comprehensive vendor risk management program that includes regular security assessments, contractual security requirements, and continuous monitoring. For high-risk vendors (those with access to sensitive data), implement quarterly security reviews and annual penetration testing requirements.

Long-term (Ongoing): Build Security Culture
Security must become part of organizational DNA. Every developer who creates an API key, every business user who adds a new integration, needs to understand the security implications. Implement security training, create easy-to-follow security guidelines, and build tools that make secure credential management frictionless.

Future Outlook: The Evolution of OAuth Threats

The Klue breach is part of a larger trend that will likely intensify in the coming years. We anticipate OAuth-based attacks will increase for several reasons:

Growing SaaS Ecosystem: Organizations are increasingly dependent on a growing number of SaaS applications, each requiring integrations. Every integration represents a potential attack surface. According to recent research, the average enterprise now uses over 400 SaaS applications, many with multiple integrations between them. This creates a complex web of OAuth tokens and API keys that is extremely difficult to track and manage.

OAuth Management Complexity: Many organizations lack adequate visibility into the number of active OAuth grants they have. This lack of visibility creates a golden opportunity for attackers. When security teams don't know what credentials exist or where they're being used, they can't effectively monitor or revoke them. This blind spot is growing as the number of integrations increases.

High ROI for Attackers: With one successful attack on a vendor, attackers can access hundreds or thousands of organizations. This scalability makes supply chain attacks highly attractive. Compare this to traditional targeted attacks where each organization must be breached individually. The economics strongly favor supply chain attacks.

Vendor Security Weaknesses: Unfortunately, many smaller vendors lack the resources or expertise for robust security practices, yet they have access to sensitive systems of large customers. This creates an asymmetry where the weakest link in the chain (a small vendor) can provide access to the strongest targets (large enterprises with valuable data).

Limited Regulatory Pressure: While regulations like GDPR and CCPA address data breaches, they don't specifically mandate OAuth security practices or credential lifecycle management. This regulatory gap means many organizations don't prioritize these issues until after they're breached.

Innovative Solutions: How the Industry is Evolving

Fortunately, the cybersecurity industry is developing new solutions to counter these threats. Emerging technologies and approaches include:

OAuth Security Gateways: These solutions act as a proxy between organizations and OAuth providers, enforcing granular policies, detecting anomalies, and dynamically revoking access. Products in this category can implement real-time behavioral analysis, enforce time-based access restrictions, and provide detailed audit trails of all OAuth activity.

For example, an OAuth security gateway might detect that a normally low-volume OAuth token suddenly starts making thousands of API calls to extract customer data. It can automatically suspend the token pending investigation, preventing data exfiltration while minimizing false positives that would disrupt legitimate operations.

SaaS Security Posture Management (SSPM): These tools continuously monitor the configuration and security posture of all SaaS applications, identifying OAuth misconfigurations and excessive permissions. SSPM platforms provide visibility into the entire SaaS ecosystem, tracking which applications have what level of access to which data. They can automatically flag risky configurations and guide remediation.

Behavioral Analytics for OAuth: Using machine learning to establish a baseline of normal behavior for each OAuth token and detecting deviations from that baseline. This goes beyond simple rules-based detection to understand the unique patterns of each integration. If a token that normally makes 100 API calls per day suddenly makes 10,000, or starts accessing data it never accessed before, the system flags it for investigation.

Zero Standing Privileges (ZSP): New security models where permanent OAuth grants don't exist. Instead, access is granted just-in-time and for limited durations. Under ZSP, an integration that needs to sync data every hour would receive a token valid for only 65 minutes. If that token is stolen, the attacker has a very limited window to use it before it expires and must be reauthorized.

Token Binding and Attestation: Emerging standards that bind OAuth tokens to specific devices or contexts, making stolen tokens useless outside their intended environment. For example, a token might be bound to a specific server's cryptographic identity, rendering it worthless if stolen and used from another location.

The Role of AI and Automation in Defense

One of the most promising aspects of defending against OAuth threats is the increasing use of AI and automation. Modern detection systems can:

Identify anomalous access patterns invisible to human analysts: AI systems can process millions of API calls and identify subtle patterns that indicate compromise. They can correlate activity across multiple systems and time periods to spot sophisticated attacks that evolve slowly to avoid detection.

Respond to threats in real-time without human intervention: When a confirmed threat is detected, automated systems can revoke suspicious access, isolate affected systems, and initiate incident response workflows. This speed is critical since attackers can exfiltrate large amounts of data in minutes.

Leverage threat intelligence feeds to recognize known attack patterns: By connecting to global threat intelligence networks, AI systems can identify tactics, techniques, and procedures (TTPs) used by known threat actors and proactively defend against them.

Provide automated recommendations for security posture improvement: Rather than just alerting on problems, modern AI systems can suggest specific remediation actions, such as which OAuth grants to revoke, which permissions to reduce, or which integrations to reconfigure.

However, as defenders leverage AI, so do attackers. We expect future attacks to be increasingly AI-driven, capable of adapting more quickly and evading detection with greater sophistication. This creates an AI arms race where both sides continuously evolve their capabilities.

Regulatory and Compliance Implications

This attack has significant implications for regulatory compliance and industry standards. Several questions are now being debated in policy circles:

Should OAuth security be specifically addressed in data protection regulations? Current regulations like GDPR focus on data protection but don't mandate specific technical controls for OAuth or credential management. Some policy experts argue that explicit requirements are needed.

Should there be mandatory breach notification timeframes for supply chain incidents? In the Klue case, there was nearly a two-week delay between the initial compromise and detection. Should regulations require faster detection capabilities and immediate notification?

Should integration platforms be classified as critical infrastructure? Platforms like Klue, Salesforce, and other integration hubs have become critical to business operations. Should they face the same regulatory scrutiny as financial systems or critical infrastructure?

We expect to see regulatory evolution in these areas over the next 12-24 months, particularly in the EU where data protection authorities have been most active in responding to emerging threats.

Building a Resilient Organization

Beyond specific technical controls, building true resilience against OAuth-based supply chain attacks requires a holistic approach:

Security Architecture: Design systems with the assumption that any credential may be compromised. Implement defense in depth so that a single stolen token cannot provide unlimited access. Use microsegmentation to limit lateral movement. Implement data loss prevention to detect and block bulk exfiltration.

Organizational Culture: Create a culture where security is everyone's responsibility. Developers should understand the security implications of the integrations they build. Business users should know how to evaluate the security of the SaaS tools they adopt. Executives should recognize that supply chain security is a business risk, not just an IT problem.

Incident Response Preparedness: Have a well-tested incident response plan that specifically includes supply chain attack scenarios. Practice tabletop exercises that simulate vendor compromises. Know who to call, what actions to take, and how to communicate with stakeholders when an incident occurs.

Continuous Improvement: Security is never finished. After every incident, whether it affects you directly or not, extract lessons and improve your controls. The Klue breach provides valuable lessons—apply them before your organization becomes the next victim.

Conclusion: Lessons We Must Learn

The Klue attack and the resulting breaches at multiple cybersecurity firms serve as a wake-up call for the entire industry. This incident demonstrates that cybersecurity can no longer be limited to protecting an organization's perimeter. In the modern world, where organizations are heavily dependent on vendors, integrations, and SaaS applications, security must evolve to an ecosystem-wide approach.

The keys to success in this new environment are:

• Visibility: You cannot secure what you cannot see. Having complete visibility of all OAuth grants, integrations, and vendor access is essential.
• Hygiene: Managing the lifecycle of credentials and OAuth tokens must become a daily habit, not a quarterly project.
• Automation: The volume of OAuth tokens and integrations in a modern organization is too large for manual management. Automation is not optional—it's mandatory.
• Culture: Security must be part of organizational culture. Every developer, every business user who adds a new integration must understand its security implications.
• Transparency: When incidents occur, transparency helps the entire industry learn and improve. Hiding breaches only ensures that others will make the same mistakes.

Perhaps most importantly, this incident reminds us that in cybersecurity, no organization is too large, too experienced, or too secure to become a victim. What distinguishes us is not the ability to prevent every attack, but rather the ability to detect quickly, respond effectively, and learn from incidents.

The cybersecurity companies affected by this breach—Huntress, HackerOne, Jamf, Recorded Future, Tanium, and others—are not weak. They're simply human organizations operating in an environment where the attackers have significant advantages. Their transparent response and willingness to share information demonstrates the professionalism and maturity that defines the best of our industry.

Frequently Asked Questions

Sources and Further Reading