Third-party Klue breach hits multiple cybersecurity firms

A cyberattack targeting the market intelligence platform Klue has resulted in data breaches affecting several prominent cybersecurity companies.

What happened

According to TechCrunch, Klue, a Vancouver-based competitive intelligence company, revealed that attackers gained unauthorized access to its systems on June 12 using a compromised legacy credential associated with one of its integration tools. The compromised tool allowed customers to connect cloud-based business platforms, including Salesforce, to their Klue accounts.

According to the company, the attackers used this access to obtain data from customer cloud environments linked through the integration. Salesforce databases were among the primary targets, exposing information stored by organizations that relied on Klue's platform. Following the discovery, Klue disconnected affected integrations and engaged incident response firm CrowdStrike to investigate the breach and prevent further unauthorized access.

Going deeper

Hacker group Icarus has been linked to the Klue breach and has reportedly claimed responsibility for the attack. Following the incident, the group added Klue to its leak site and threatened to release stolen data. The group's activities reflect a growing trend among cybercriminals who steal sensitive information and use the threat of public disclosure to pressure victims.

The breach has affected multiple cybersecurity firms. Companies that have confirmed being impacted include Huntress, HackerOne, Recorded Future, Tanium, Snyk, Jamf, Abnormal Security, and Netskope. While investigations are ongoing, exposed data is believed to include business contact information and other account-related details accessed through Klue's integrations with customer systems.

What was said

According to a Klue blog post, the incident prompted them to work “alongside trusted cybersecurity experts to understand what happened, support our customers, and restore the connections you rely on.” The findings of their investigation state that “an attacker gained access through a compromised legacy credential associated with an integration service. The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments.” Furthermore, the investigation revealed that “the incident was limited to the affected third-party platforms, and there is no evidence that customer content stored within the Klue platform was impacted.”

In response to the cybersecurity incident, Klue “immediately took steps to contain the activity, including revoking affected credentials and tokens, removing unauthorized code, disabling potentially impacted integrations, launching a comprehensive investigation, and notifying law enforcement.” The company also noted that it engaged cybersecurity firm CrowdStrike to assist with the investigation and validate its response to the incident. In parallel, Klue said it is conducting a comprehensive review of its security controls, credential management practices, monitoring capabilities, and deployment processes to identify areas for improvement. According to the company, the findings from this review will be used to implement additional safeguards and strengthen its security environment.

The big picture

The Klue breach is the latest example of how third-party and supply-chain attacks can have far-reaching consequences. As noted in TechCrunch's report, “This is the latest of a slew of broad-scale hacks in which hackers target companies that hold the keys to other companies’ cloud databases.”

The ripple effects of these incidents can be significant. In this case, the breach affected several cybersecurity firms. While Klue was the initial point of compromise, the downstream impact extended to multiple organizations that relied on the company's platform and integrations.

The incident also points to a broader trend in cybercrime, where instead of directly attacking individual targets, cybercriminals target vendors and service providers that act as gateways to multiple victims. As TechCrunch noted, “Over the past year alone, hackers have increasingly targeted similar middleware providers, including Gainsight and Salesloft, to gain access to hundreds of companies’ data.” This allows attackers to maximize their reach through a single compromise.

See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)

FAQS

Why are third-party breaches significant?

Third-party breaches are significant because compromising a single vendor can create a ripple effect, potentially exposing multiple organizations that rely on shared integrations and services.

What role did OAuth tokens play in the Klue breach?

OAuth tokens were reportedly used by attackers to access connected customer environments without needing direct login credentials for each affected organization.

Was ransomware used in the Klue attack?

There is no indication that ransomware was deployed. The incident appears to have focused on data access and potential extortion rather than system encryption.