UPDATE: Klue/Icarus Salesforce breach widens to ~24 firms; the attacker is itself hacked and a second extortion actor emerges

UPDATE (originally covered 2026-06-25): Roughly two dozen companies have now publicly notified customers of the Klue–Salesforce OAuth-integration breach, up from eleven on June 25, with newly named EU-domiciled victims including Germany's Lucanet and Link11 alongside Blackbaud, Deel, Camunda and Tines (SecurityWeek, 2026-06-26).

Klue reportedly told customers that the attacker ("Icarus") was itself compromised and that the stolen dataset is now in the hands of a second, unnamed actor running an independent extortion campaign; Icarus's Tor leak site went offline (TechCrunch, 2026-06-25). The root cause is unchanged — a single over-privileged legacy OAuth integration credential granting bulk Salesforce access across ~195 customer orgs — reinforcing the standing action: audit and revoke dormant Connected Apps with export scopes, and alert on anomalous bulk ReportExport/API activity from integration service accounts.