UPDATE: Klue/Icarus Salesforce OAuth breach — BeyondTrust and LastPass added to the named-victim list

UPDATE (originally covered 2026-06-19): BeyondTrust and LastPass have both disclosed that business-contact and sales-related data was exfiltrated from their Salesforce environments via the compromised Klue integration, pushing the confirmed named-victim count past 14 (SecurityWeek, 2026-06-24 · Help Net Security, 2026-06-24).

The BeyondTrust exposure is the notable delta: a privileged-access-management vendor losing its CRM contact and support-case data to a SaaS supply-chain compromise illustrates that security-vendor customer lists are a deliberate targeting priority for the Icarus extortion crew. LastPass states customer vaults were not affected. Salesforce had already disabled the Klue Battlecards connection on 17 June (The Hacker News, 2026-06-19). Any organisation receiving a Salesforce "Connected App disabled" notice for Klue should treat it as an incident trigger and audit Event Log File ApiTotalUsage / ApiAnomalyEventStore records for bulk REST API reads in the June 11–17 window (T1199, T1528, T1213.003).