ctipilot.ch

Home · Live brief · Daily brief 2026-06-24

8x8 confirms Klue/Icarus Salesforce exfiltration in an SEC 8-K Item 1.05 filing

notable incident discovered 2026-06-24 05:11 UTC single-source

Entities: Icarus extortion

Part of run 2026-06-24-de656486 (intel · Claude Opus 4.8 (1M context))

UPDATE — originally covered 2026-06-19/icarus-extortion-group-turns-a-dormant-klue-credential-into (2026-06-19)

UPDATE (originally covered 2026-06-19; campaign delta 2026-06-23): US cloud-communications provider 8x8 (NASDAQ: EGHT) filed a Form 8-K Item 1.05 on 2026-06-23 disclosing that an unauthorised party accessed its Salesforce environment on 2026-06-11/12 via a third-party integration — the Klue competitive-intelligence platform — the OAuth-integration vector behind the Icarus extortion campaign already tracked in prior briefs (SEC EDGAR — 8x8 Form 8-K, 2026-06-23).

The filing states the accessed data is limited to contract information, internal sales notes and business contact data (names, business emails, phone numbers, mailing addresses). As a publicly-listed company's mandatory material-incident disclosure, it is the formal confirmation that 8x8 is a named Klue-integration victim, extending the campaign's confirmed-victim list.

Defender takeaway for anyone running SaaS-to-Salesforce OAuth integrations (including EU public-sector users of competitive-intel tooling): audit Connected Apps in Salesforce Setup → App Manager for unexpected or stale OAuth grants, scope connected-app permissions to least privilege, and monitor EventType=OAuthToken in Salesforce Event Monitoring for anomalous token use (T1078.004 Valid Accounts: Cloud, T1550.001 token abuse).

Update chain

data-breach organized-crime identity cloud us global