Home · Briefs · CTI Daily Brief — 2026-06-24
UPDATE: 8x8 confirms Klue/Icarus Salesforce exfiltration in an SEC 8-K Item 1.05 filing
From CTI Daily Brief — 2026-06-24 · published 2026-06-24
UPDATE (originally covered 2026-06-19; campaign delta 2026-06-23): US cloud-communications provider 8x8 (NASDAQ: EGHT) filed a Form 8-K Item 1.05 on 2026-06-23 disclosing that an unauthorised party accessed its Salesforce environment on 2026-06-11/12 via a third-party integration — the Klue competitive-intelligence platform — the OAuth-integration vector behind the Icarus extortion campaign already tracked in prior briefs (SEC EDGAR — 8x8 Form 8-K, 2026-06-23).
The filing states the accessed data is limited to contract information, internal sales notes and business contact data (names, business emails, phone numbers, mailing addresses). As a publicly-listed company's mandatory material-incident disclosure, it is the formal confirmation that 8x8 is a named Klue-integration victim, extending the campaign's confirmed-victim list.
Defender takeaway for anyone running SaaS-to-Salesforce OAuth integrations (including EU public-sector users of competitive-intel tooling): audit Connected Apps in Salesforce Setup → App Manager for unexpected or stale OAuth grants, scope connected-app permissions to least privilege, and monitor
EventType=OAuthTokenin Salesforce Event Monitoring for anomalous token use (T1078.004Valid Accounts: Cloud,T1550.001token abuse).