A Forgotten Credential Gave Hackers Access to Klue. They Used It to Loot Salesforce Data Across the Cybersecurity Industry.

What Happened

On June 12, an unauthorized actor broke into Klue's integration infrastructure through a credential the company had created years earlier to prototype a third-party integration it later dropped. The integration was abandoned. The credential was not.

Klue CEO Jason Smith confirmed the timeline in a June 19 blog post: the attacker used that legacy credential to access Klue's systems, then pushed malicious code into Klue's integration layer specifically designed to harvest OAuth tokens. Those tokens are the digital keys customers use to connect Klue to external platforms without sharing passwords. Once the attacker collected them, they used those tokens to impersonate Klue inside connected Salesforce environments and pull data directly, according to Huntress, one of the affected companies that conducted its own forensic investigation.

Klue issued a general alert on June 13 and shut down integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack, according to CSO Online's account of the Huntress investigation. Smith's public statement came six days later.

Who Got Hit

Nine companies have publicly confirmed their data was accessed: Gong, Jamf, HackerOne, Insurity, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium, according to TechCrunch. Huntress confirmed data exposure that included business names, products trialed or used, subscription details, business contact information, and sales and marketing communications.

Several of the victims—Huntress, Recorded Future, and Tanium—are cybersecurity companies. Their own customer data sat in Salesforce databases connected to Klue, and those connections became the attack surface.

All four of the cybersecurity firms that commented publicly, Huntress, Recorded Future, Jamf, and Tanium, said their own products and internal systems were unaffected. The breach was lateral: attackers moved through Klue's infrastructure to reach the customers' Salesforce instances, not directly through the customers' own networks.

Jamf warned its customers to watch for phishing campaigns using the stolen contact data. Recorded Future called for "continuous monitoring of third-party integrations, especially those with privileged access to sensitive data." Tanium said there was "no impact on our ability to serve" customers.

The Ransom Clock

Hacking group Icarus claimed responsibility and posted a deadline on its leak site: pay up or the stolen data goes public Monday, June 22, today. As of the publication of this article, Klue has not publicly disclosed whether it received a ransom demand, and CEO Jason Smith did not respond to TechCrunch's request for comment when contacted Monday.

Salesforce moved independently. On June 17, the company disabled the Klue Battlecards integration and stated publicly that the issue "is limited to Klue's app connection and does not arise from a vulnerability within the Salesforce platform," according to CSO Online. Organizations cannot reconnect through the Klue Battlecards app until further notice.

Klue has engaged CrowdStrike for forensics, notified law enforcement, and says it has revoked the affected credentials and tokens, removed the unauthorized token-harvesting code, and disabled the compromised integrations.

Smith's blog post mentioned "removing unauthorized code" without explaining how it arrived, what it did in detail, or why it went undetected between June 12 and containment. Klue did not respond to CSO Online's follow-up questions on that point.

The Broader Pattern

This attack fits a template that has become familiar. Rather than attacking a hardened enterprise directly, hackers target the middleware layer: software vendors that hold integrations, tokens, and access to dozens or hundreds of customers at once. TechCrunch notes that similar supply-chain style breaches have hit Gainsight and Salesloft in the past year. The Snowflake breach, also driven by stolen credentials rather than a zero-day exploit, followed the same logic.

ReliaQuest, a security firm, was the first to detect the suspicious activity and alert Klue, according to Infosecurity Magazine. Klue's own systems did not catch it first.

The Fair Counterargument

Defenders of Klue, and of SaaS vendors generally, would argue that no company can eliminate all legacy credentials instantly, integrations are built and abandoned as product strategies shift, and OAuth token flows are an industry-standard architecture that Salesforce itself endorses. The attacker did something sophisticated: they found an obscure, forgotten entry point, pivoted through internal infrastructure, and pushed a targeted code update to harvest tokens. This was not a simple phishing attack. Critics who frame this purely as negligence are glossing over the genuine difficulty of maintaining a clean credential inventory across years of product development.

That said, a credential tied to a discarded integration that was never deactivated is exactly the kind of known risk that security hygiene checklists exist to catch. The attacker did not need a zero-day. They needed patience and a stale password.

What Remains Unresolved

Klue has not disclosed how many of its hundreds of customers were affected beyond the nine who have come forward voluntarily. The total scope of the data exfiltrated is unknown. Smith's reference to "unauthorized code" in his June 19 statement has not been explained in the depth that Huntress's independent investigation provided, and Klue has not responded to press questions about it.

The Icarus deadline lands today. Whether the group publishes the data, accepts payment, or goes quiet is the next material fact in this story.