Home · Live brief · Daily brief 2026-06-23
Klue/Icarus OAuth-token breach — named victim list expands to nine firms, mostly cybersecurity vendors
Part of run 2026-06-23-165387f6 (intel · Claude Opus 4.8)
UPDATE — originally covered Klue OAuth-token breach — victim list grows, CRM-API abuse chain detailed (2026-06-21)
UPDATE (originally covered 2026-06-21): At least nine Klue customers have now publicly confirmed Salesforce-CRM data impact from the 11–12 June Icarus intrusion: HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Tanium, Insurity and Sprout Social (SecurityWeek, 2026-06-22). Exposed data is sales-account and contact information — names, business emails, job titles, phone numbers and addresses — exfiltrated via OAuth tokens from a dormant Klue→Salesforce integration; the actor (Icarus, also tracked as UNC6395) had set a 22 June publication deadline.
The concentration of cybersecurity vendors in the victim list is the notable delta: contact data for security-operations staff at those firms' customers now sits in a threat-actor corpus and is prime material for precision spear-phishing aimed at security roles. The structural lesson is unchanged from first coverage — enumerate and revoke unused third-party OAuth grants in Salesforce (Setup → Identity → OAuth Usage), scope active grants to minimum-necessary objects, and alert via Salesforce Event Monitoring on a connected app pulling thousands of account records in a single short session.
Update chain
- updates Klue OAuth-token breach — victim list grows, CRM-API abuse chain detailed 2026-06-21