Be Best: We Couldn't Have Blocked the Klue Breach, and We're Not Going to Dunk on the Security Companies It Hit

The Klue breach gives the security industry an easy, ugly temptation, and we want to talk about the temptation before we talk about the fix.

The victim list is a who's-who of the defense industry. Recorded Future — a threat intelligence company. HackerOne — a vulnerability-disclosure platform. Huntress, Tanium, Snyk, BeyondTrust, LastPass, OneTrust. These are companies whose entire business is helping other companies not get breached. And they got their Salesforce data lifted through a market-intelligence vendor's OAuth integration. The internet's reflex, when a security company gets popped, is the dunk: the cobbler's children have no shoes, the ratio, the screenshot with the laughing emoji. Infosec has a mean streak about this, and it has its own name now — it is bullying, dressed up as accountability.

We are not writing that post. This is the other one.

Why We Won't Dunk

None of these companies got breached at their craft. Recorded Future's threat intel did not fail. Huntress's EDR did not fail. They got hit through their sales software — a third-party platform they connected to Salesforce so the revenue team could track competitors. That is the same boring, universal exposure every company on earth carries: a trusted vendor with a standing token into your core data. The defenders got caught by the exact structural problem they spend their days warning everyone else about, because the problem does not care how good you are at your job. It lives in the integration, not in your skill.

Dunking on them accomplishes nothing except making the next breached company quieter. And quiet is the enemy. The reason we even have the indicators on this attack is that LastPass published a full, specific disclosure naming the exfiltration domains. HackerOne, Huntress, Gong, OneTrust, and others did the same — they told the truth in public so the rest of us could defend ourselves. Every disclosure is a gift to the herd. If the price of disclosing is getting dunked on, fewer companies disclose, and the whole ecosystem goes darker. So: no dunk. Thank you for the receipts. We mean that.

Now the Honest Part About Us

Here is the harder admission, and it is the one we think makes a threat-intel shop worth trusting. We could not have blocked this breach. Our feed would not have stopped it. No IP or domain blocklist could have — including the very good ones.

We checked our own data before writing this, because that is the rule. The only Klue-related indicators we hold are the three compromised Australian retail domains Icarus used to deliver extortion notes. They entered our feed on June 24 — pulled from LastPass's disclosure that same day. The attack was June 11 and 12. Our indicators are roughly twelve days behind the breach, and they came from a victim's public report, not from anything we discovered first. We will not dress that up as a catch. It was not one.

And even a perfect, same-day blocklist would not have mattered, because of how this attack actually works. The data theft was authenticated API access: the attacker held valid OAuth tokens and used them to pull customer records straight out of Salesforce. That traffic goes cloud-to-cloud — attacker to Salesforce's API — and never crosses the victim company's network perimeter at all. There is no inbound connection for a blocklist to drop. A feed like ours blocks hostile traffic trying to reach a protected web property. It does not, and cannot, sit between Salesforce's API and a client carrying a legitimate token. The whole attack class is built in the blind spot of perimeter defense. That is not a gap in our product. It is the nature of the threat, and pretending otherwise would be the lie.

What We *Could* Do — and Did, Nine Months Early

Here is where a threat intel shop earns its keep on an attack it cannot block: the warning, and the fix.

We named this exact class in September 2025, in a piece we called "OAuth's Blind Spot," after the Salesloft/Drift breach. We wrote it again on June 2 when ShinyHunters drained 1.5 billion records from 760 organizations the same way. We wrote it on June 18, June 23, and June 24 as Icarus walked it through Klue. The through-line of every one of those posts is a single instruction, and it is free: the trusted integration is your attack surface, and the OAuth token is the asset. Inventory your grants and revoke the ones you do not need.

The Klue incident proved it twice over, in the companies that came through clean. Autodesk was a Klue customer and lost nothing — because it never wired the Salesforce integration in the first place. Gong limited its exposure because it had already disabled the connection. The companies that survived are the ones that did not have the standing token. That is the entire defense, demonstrated by the survivors.

The Free Fix, Step by Step — Be Best Means Give It Away

Do this today. It costs nothing and it is the only thing that would have changed the outcome.

Inventory every OAuth grant into your crown-jewel platforms — Salesforce, Google Workspace, Microsoft 365, GitHub, Slack. Most organizations genuinely do not know how many third-party apps hold standing access to their core data, and the inventory itself is most of the win. In Salesforce, that is Setup, then Connected Apps OAuth Usage; in Google and Microsoft, the third-party app access and enterprise-app consent panels; in GitHub, the org's third-party access and authorized OAuth apps list.

For each grant, ask two questions. Do we actually use this integration. And does it have more scope than it needs. Revoke anything you cannot answer cleanly — a token you revoke is a token that cannot be replayed when the vendor on the other end gets popped. Rotate the credentials behind any integration tied to a vendor that has disclosed a breach. And treat "the vendor says they deleted the data" as the empty comfort this incident proved it to be: Icarus itself got hacked, and a second crew now holds a copy of the same files, so no one can credibly promise deletion anymore.

That is it. That is the whole playbook, and it is yours, customer or not, because giving back more than we take is the point of doing this at all.

Be Best

There is a campaign called Be Best about not being cruel to each other online, and the security industry could stand to borrow it. Being best here is not the dunk. It is three things at once: refusing to kick the defenders who got hit and were brave enough to say so, telling the plain truth about what our own tools can and cannot do, and handing out the fix for free to everyone — the breached, the lucky, and the next ones in line.

We could not have blocked the Klue breach. We can be honest about that, kind to the people it hit, and useful to everyone watching. That is the best version of what we do, and on this one, that is the whole job.

Sources: SecurityWeek (Klue breach victim coverage), The Register (hundreds of Klue victims), Huntress (klue-breach-investigation), LastPass and OneTrust incident disclosures, TechCrunch (Klue data deletion), and DugganUSA prior coverage (OAuth's Blind Spot Sept 2025; June 2/18/23/24 Icarus-Klue posts).

Her name was Renee Nicole Good.

His name was Alex Jeffery Pretti.