Klue Breach - Track the Salesforce Incident

Huntress disclosed that it was affected by the broader Klue supply chain compromise after attackers breached Klue's backend systems and exfiltrated OAuth tokens used by customers to connect Klue with third-party platforms. The incident began on June 11, 2026, when attackers introduced malicious code into Klue's infrastructure capable of harvesting customer OAuth credentials. Using the compromised integration, attackers accessed and copied data from Huntress's Salesforce environment. According to Huntress, the exposed information consisted of business contacts, sales opportunities, pricing quotes, sales-related communications, and CRM records. Huntress stated that no threat intelligence data, customer telemetry, engineering repositories, product infrastructure, passwords, payment card information, or endpoint security systems were affected. Following the compromise, Klue revoked customer OAuth credentials and disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while investigating the incident. On June 16, Huntress personnel received extortion emails claiming the stolen data had been downloaded and threatening disclosure. Huntress reported no evidence of compromise to its products, services, or operational infrastructure, and characterized the incident as limited to CRM-related business data obtained through the compromised Klue integration.

Recorded Future disclosed that it was impacted by the Klue third-party integration compromise after attackers gained unauthorized access to Klue's integration infrastructure and abused a compromised Salesforce OAuth token. According to Recorded Future, the unauthorized activity began on June 12, 2026, and leveraged the Salesforce-Klue integration rather than targeting Recorded Future directly. The company confirmed on June 17 that portions of its Salesforce environment were accessed through the compromised OAuth credentials. The exposed data appears limited to business information stored in Salesforce, including customer and prospect contact names, email addresses, and potentially certain contract-related business records. Recorded Future stated that there is no evidence that its core intelligence platform, Intelligence Graph, proprietary systems, customer-facing services, internal databases, or threat intelligence data were accessed. In response, the company revoked all Klue-related OAuth tokens, reviewed third-party Salesforce integrations, analyzed logs for known malicious infrastructure, engaged Salesforce for additional forensic support, notified law enforcement, and initiated enhanced monitoring. The incident is part of the broader Klue supply chain compromise that affected multiple organizations through trusted Salesforce-connected integrations.

Tanium disclosed that it was impacted by the Klue supply chain breach after attackers compromised Klue, a third-party platform that integrates with Salesforce using OAuth credentials. The breach enabled unauthorized access to and exfiltration of CRM data from Tanium's Salesforce environment. According to Tanium's investigation, the incident was limited to Salesforce data and did not affect Tanium products, cloud infrastructure, customer security data, support systems, passwords, or operational environments. The potentially exposed information includes sales account data such as opportunity names, opportunity values, sales-related communications, and business contact information including names, job titles, email addresses, phone numbers, social media contact details, and business addresses. Tanium stated that it has found no evidence that additional customer data was accessed or misused. In response, the company disabled the Klue OAuth integration, blocked further access to Salesforce through Klue, launched a comprehensive investigation, and coordinated directly with Klue to validate containment and understand the root cause. The incident is part of the broader Klue OAuth compromise that affected multiple organizations through trusted Salesforce-connected integrations.

Jamf disclosed that it was impacted by the broader Klue third-party cybersecurity incident after an unauthorized actor gained access to Jamf's Salesforce data through Klue's Salesforce integration. The compromise occurred within Klue's environment and allowed access to business data stored in Jamf's Salesforce instance. Upon notification from Klue, Jamf immediately disabled the integration, engaged cybersecurity experts to conduct an independent investigation, implemented defensive measures, and notified law enforcement. Jamf stated that there is no evidence of lateral movement beyond Salesforce and that the incident did not affect Jamf products, customer-facing services, or its ability to operate. While the company's investigation remains ongoing, current findings indicate that the exposure was primarily limited to business data fields contained within Salesforce. Jamf warned customers that the stolen contact information could be leveraged in phishing or social engineering campaigns impersonating Jamf employees or IT personnel. The incident is part of the broader Klue OAuth compromise that affected multiple organizations through trusted Salesforce-connected integrations.

Sprout Social disclosed that it was impacted by the Klue third-party security incident after attackers obtained credentials associated with Klue's Salesforce integration and used them to access connected Salesforce CRM environments. The unauthorized access occurred between June 11 and June 12, 2026, and may have exposed business contact information including names, professional email addresses, phone numbers, job titles, and mailing addresses, as well as organizational information such as company details, industry classifications, account status information, and related commercial CRM records. Sprout Social stated that the incident was limited to Salesforce CRM data and did not affect the Sprout Social platform, customer social media accounts, authentication credentials, API keys, published or scheduled content, Salesforce Service Cloud integrations, or production systems. Following notification of the breach, Sprout Social disabled the affected Salesforce connected application, deactivated the associated service account, removed all Klue integrations, engaged Salesforce and Klue for forensic analysis, and audited its systems to confirm the scope of the incident. The company also warned customers about potential follow-on phishing, social engineering, and extortion attempts leveraging the exposed business contact information.

Gong disclosed that it was impacted by the broader Klue third-party security incident after attackers compromised Klue's integration service and gained access to data available through connected integrations. The incident originated within Klue's environment and affected customers that had connected Klue to Gong. Following notification from Klue, Gong reviewed indicators of compromise, including suspicious IP addresses associated with the attack, and determined that a subset of customers may have had licensed user information accessed through the integration. The potentially exposed data includes user names, business titles, and business email addresses. Gong stated that there was no direct impact to customer call recordings, conversation transcripts, revenue intelligence data, or Gong's core products and infrastructure. In response, Gong revoked all active access associated with the Klue integration, deactivated related tokens, blocked identified malicious IP addresses, and suspended all Klue-to-Gong API access. The company also notified affected customers and warned of potential phishing and social engineering attempts leveraging the exposed business contact information.

Insurity disclosed that it was affected by the broader Klue and Salesforce security incident after Salesforce notified the company on June 16, 2026, of suspicious activity involving the Klue connected application used within its Salesforce environment. The incident is part of a multi-organization compromise involving Klue's Salesforce integration. Insurity stated that its cloud platform, managed infrastructure, and production systems were not impacted. During its investigation, the company identified a very limited number of active credentials and secrets contained within CRM data that may have been exposed. As a precaution, Insurity rotated or reset all identified credentials and notified organizations whose secrets were potentially affected. The company indicated that business contact information stored within Salesforce was accessed and warned customers to remain vigilant for phishing and social engineering attempts. At the time of disclosure, Insurity continued to investigate whether any customer data stored in Salesforce had been impacted, while emphasizing that no action was required to maintain the security of Insurity products or services.

HackerOne disclosed that it was impacted by the broader Klue supply chain breach after attackers compromised Klue, a third-party market intelligence platform, and abused its Salesforce OAuth integration to access customer CRM environments. Through the compromised integration, an unauthorized actor accessed and copied CRM data from HackerOne's Salesforce instance. The potentially exposed information includes business contact details such as names, email addresses, phone numbers, and sales-related CRM records including accounts, opportunities, and business relationship information. HackerOne stated that the incident was limited to Salesforce CRM data and did not affect its products, infrastructure, or operational systems. The company emphasized that customer vulnerability reports and security findings were not stored within the affected CRM environment due to strict data segmentation controls, and its forensic investigation found no indication that vulnerability data was accessed. In response, HackerOne disconnected the Klue integration, confirmed access to Salesforce had been disabled, audited credentials and access logs, and conducted a forensic investigation to validate containment and scope. The company warned affected parties to remain vigilant against phishing and social engineering attempts leveraging the exposed business contact information.

OneTrust disclosed that it was impacted by the broader Klue-Salesforce supply chain incident after identifying unauthorized activity within its Salesforce environment on June 17, 2026. According to the company, the activity originated from a compromised Klue-Salesforce integration that threat actors used to access Salesforce environments across multiple organizations. OneTrust stated that the incident appears to be limited to CRM-related information accessible through the third-party integration and that it immediately took steps to contain the activity and secure its environment. The company engaged Klue, third-party cybersecurity firms, forensic investigators, and privacy counsel to determine the full scope of the incident. While the investigation remains ongoing, OneTrust indicated that it is directly notifying customers believed to be affected and that there is currently no indication that the incident extended beyond Salesforce CRM data exposed through the compromised integration.

Snyk disclosed that it was affected by the broader Klue supply chain incident after an unauthorized actor accessed data from Snyk's Salesforce environment through Klue's third-party integration. According to Snyk's investigation, the exposure was primarily limited to business-related CRM information, including customer business contact details and the title and description fields from a limited subset of customer support cases. Snyk stated that the contents or bodies of support cases were not exposed and that no impact occurred to its products, services, infrastructure, or ability to serve customers. Upon notification from Klue, Snyk immediately disabled the Salesforce-Klue integration and launched an internal investigation to assess the scope of the incident. The company noted that the breach is part of a wider compromise affecting multiple organizations that utilized Klue's Salesforce integration and continues to monitor the situation for additional findings.