Icarus Popped the Competitive Intelligence Platform. Security Companies Were the Customers.

On June 12, 2026, the Icarus extortion group compromised Klue — a market intelligence platform that security companies use to track competitors — and walked out with OAuth tokens granting access to customer Salesforce instances across hundreds of organizations.

The victim list includes Recorded Future, Tanium, Jamf, Huntress, Sprout Social, Gong, Insurity, and LastPass.

Recorded Future is a threat intelligence company. They got popped via their sales software.

What Klue Does and Why It Was the Right Target

Klue is a competitive intelligence platform. Sales and go-to-market teams use it to aggregate market data, track competitor moves, and feed that intelligence into Salesforce. To do that job, Klue requires deep OAuth integrations: Salesforce, Gong, HubSpot, SharePoint, Zoom, Chorus, Clari, Google Drive, and Slack. That is not a narrow integration surface. That is a skeleton key to the operational data of every customer who connected it.

Icarus understood this. They obtained a compromised legacy credential — a single stale token — to gain initial access to Klue's integration infrastructure. From there they harvested the OAuth tokens Klue maintained on behalf of its customers. One compromised credential against a middleware platform became simultaneous access to hundreds of Salesforce environments.

This is the supply chain attack as it was always going to evolve. You do not need to breach Recorded Future's infrastructure to get Recorded Future's data. You need to breach the third-party SaaS they gave Salesforce OAuth access to.

What Was Taken

The stolen data from Salesforce instances is not vault contents or source code. It is CRM data: business contacts, customer names, email addresses, phone numbers, mailing addresses, sales communications, pricing information, opportunity notes, and support case records.

That sounds less alarming than an encrypted vault compromise. It should not. Business contact data from a security vendor's CRM is a map of their customer relationships, renewal timelines, pricing, competitive displacement opportunities, and the names and emails of every person on their customer side who handles the contract. It is the raw material for targeted spearphishing, business email compromise, and sales intelligence theft.

For LastPass specifically: customer CRM data in the hands of an extortion group, one week after a 24 billion record credential dump that included active infostealer logs, is a targeting list for exactly the kind of phishing campaign that produces new infostealer infections.

Icarus: Active Since April, Consistent Pattern

The Icarus extortion group emerged in April 2026. Their documented pattern is supply chain compromise targeting business intelligence and CRM data rather than technical infrastructure. They do not appear to be looking for source code or production credentials. They are looking for the data that makes extortion tractable: customer lists, sales data, pricing, communications.

The Klue operation was technically straightforward. Python scripts automated API queries against the compromised Salesforce integrations. Exfiltration infrastructure was distributed across Netherlands, France, and Ukraine. Extortion demands were sent from compromised Australian retail domains instructing victims to contact them via Session Messenger.

Salesforce has since disabled the Klue application integration. CrowdStrike was engaged for incident response. Klue revoked the affected OAuth tokens and disabled the compromised integrations. The data is already out.

Pattern 38, Supply Chain Edition

We have been tracking the supply chain attack pattern since before it had a common name. Pattern 38 through 48 in our catalog covers the arc from stolen developer credentials to compromised npm packages to CI/CD pipeline infiltration. The Icarus/Klue operation is a variant on the same underlying mechanic: find a trusted third party with broad access, compromise the third party, harvest the access.

The specific novelty here is OAuth as the attack vector. OAuth token theft from a SaaS middleware platform is efficient in a way that direct infrastructure compromise is not. Klue's OAuth tokens were maintained persistently, renewed automatically, and scoped broadly. Compromising Klue once yielded simultaneous access to hundreds of customer environments with no additional exploitation required.

The security industry is not insulated from this pattern. It is disproportionately exposed to it. Security vendors deploy security tools, threat intelligence platforms, sales automation software, and competitive intelligence tools — all connected to each other via OAuth and all sitting inside the same SaaS integration graph. Icarus found the node with the most edges and pulled.

What to Do Now

If your organization uses Klue, audit which OAuth integrations were active as of June 12. Klue's official response lists the disabled integrations: Salesforce, Gong, HubSpot, SharePoint, Zoom, Chorus, Clari, Google Drive, and Slack. Revoke and reissue all tokens for any connected system regardless of whether you are a named victim. Token revocation is cheap. Assuming your Salesforce data is clean because you are not on the public victim list is not.

Review your OAuth token inventory broadly. This attack worked because a legacy credential provided initial access and OAuth tokens provided blast radius. Both of those conditions are endemic in enterprise SaaS environments. The legacy credential problem is years of accumulated integrations that nobody audited after the original engineer left. The OAuth token problem is the default behavior of every modern SaaS platform.

The Icarus group will not stop with Klue. The methodology — compromise middleware, harvest tokens, extract CRM data, extort — works. The only variable is which SaaS platform is next.

Sources: BleepingComputer — Klue OAuth breach — The Register — hundreds of victims — LastPass blog — TechCrunch — Huntress investigation — The Hacker News — Salesforce disables Klue — CSO Online

The threat feed this post is built on

1.14M+ IOCs, STIX 2.1, precursor signals, supply-chain detection. Free API key in 30 seconds.

Get your free key → analytics.dugganusa.com/stix/register