In June 2026, a sophisticated supply chain attack against Klue — a market intelligence SaaS provider — compromised OAuth tokens and exfiltrated Salesforce CRM data from nearly 200 organizations, including major cybersecurity vendors like Huntress, LastPass, Recorded Future, and Jamf. If your employer used Klue or you did business with an affected company, your personal and professional data may have been exposed. Here’s what happened and what to do about it.
What Happened in the Klue Breach
Between June 11 and June 24, 2026, a threat actor known as Icarus exploited compromised legacy credentials within Klue’s integration infrastructure. The attacker used a compromised Klue Battlecards app to harvest OAuth tokens that connected Klue with third-party integrations, including Salesforce. With those tokens, the attacker accessed connected Salesforce environments belonging to Klue’s downstream customers.
Salesforce disabled connections through the Klue Battlecards app and confirmed there was no vulnerability within the Salesforce platform itself. Klue retained CrowdStrike to investigate and review all security controls, credential management, and deployment processes.
What Data Was Exposed
The impacted data may include:
- Business names and product information
- Subscription details including units and pricing
- Business contact information: full names, work emails, job titles, phone numbers, and business addresses
- Marketing and sales communications
- Opportunity notes and CRM records
This breach is broader than it looks
Even if you’ve never heard of Klue, your data may be in the breach. If you’ve ever been a sales lead, customer, or prospect of any company that used Klue’s Salesforce integration, your contact details and interaction history could have been exfiltrated.
Who Is Affected
This breach is a classic supply chain attack: Klue itself was the entry point, but the real targets were the nearly 200 companies whose Salesforce data was accessible through Klue’s OAuth tokens. Confirmed affected companies include cybersecurity firms Huntress, LastPass, Recorded Future, Tanium, and Jamf. Many more may emerge as the investigation continues.
You may be affected if:
- You are or were a customer, prospect, or contact of any company that used Klue
- Your work email, phone number, or job title was stored in an affected company’s Salesforce CRM
- You worked for a company that integrated Klue with Salesforce
Is your data already out there?
Leaked data ends up on broker sites and in scammers' hands. Run a free 60-second scan to see your exposure — then let us remove it.
Run a free scan★★★★★ 4.8/5 · Trusted by thousands of families
Steps to Protect Yourself Now
1. Watch for Phishing Attempts
The stolen data — names, emails, job titles, and business relationships — is ideal for crafting convincing spear-phishing emails. Be extra cautious about emails referencing specific products, subscriptions, or business relationships, especially from senders you don’t recognize.
2. Change Your Passwords
If you have accounts with any company confirmed in the breach, change those passwords immediately. Use a unique, strong password for each account and enable two-factor authentication.
3. Monitor Your Accounts
Keep a close eye on your email, financial accounts, and professional profiles for unauthorized activity. Stolen business contact info can be used to impersonate you or gain access to corporate systems.
4. Review OAuth App Permissions
If you manage Salesforce or other SaaS platforms, audit your connected third-party apps. Revoke any OAuth tokens you don’t recognize or no longer use. This breach was enabled by stale integrations that retained unnecessary access.
5. Freeze Your Credit
If your full name, address, and phone number were exposed, consider freezing your credit at all three bureaus as a precaution against identity theft.
Check for Dark Web Exposure
The Icarus group attempted extortion through a Tor-based leak site, meaning some of this data may already be circulating on the dark web. Use a dark web monitoring service to see if your information has appeared in leaked datasets.
6. Alert Your IT Team
If your company used Klue or does business with an affected company, alert your IT security team immediately. They should audit connected integrations, review access logs, and check for any signs of unauthorized access to your organization’s CRM or sales data.
What This Breach Teaches Us About SaaS Security
The Klue breach is a textbook example of why SaaS supply chain security matters. A single compromised integration can cascade across hundreds of organizations. Legacy credentials and overprivileged OAuth tokens — common in SaaS environments — provided the attack surface.
For individuals, the lesson is clear: your personal data doesn’t just live in the systems you use directly. It lives in every CRM, every sales tool, and every third-party integration that touches your information. You can’t audit all of these, but you can reduce the amount of personal data available in the first place.
Reduce Your Exposure With PrivacyOn
Breaches like Klue expose personal data that was aggregated from multiple sources — including data broker sites that freely publish your name, phone number, address, and employment details. PrivacyOn removes your personal information from 100+ data broker sites and monitors for re-listings 24/7, reducing the amount of data that ends up in corporate CRMs and SaaS platforms in the first place. Learn how data broker removal works and start protecting your information today.