Home · Live brief · Daily brief 2026-06-27
Klue/Icarus Salesforce breach widens to ~24 firms; the attacker is itself hacked and a second extortion actor emerges
Part of run 2026-06-27-40e791d4 (intel · Claude Opus 4.8)
UPDATE — originally covered Klue/Icarus Salesforce OAuth breach — BeyondTrust and LastPass added to the named-victim list (2026-06-25)
UPDATE (originally covered 2026-06-25): Roughly two dozen companies have now publicly notified customers of the Klue–Salesforce OAuth-integration breach, up from eleven on June 25, with newly named EU-domiciled victims including Germany's Lucanet and Link11 alongside Blackbaud, Deel, Camunda and Tines (SecurityWeek, 2026-06-26).
Klue reportedly told customers that the attacker ("Icarus") was itself compromised and that the stolen dataset is now in the hands of a second, unnamed actor running an independent extortion campaign; Icarus's Tor leak site went offline (TechCrunch, 2026-06-25). The root cause is unchanged — a single over-privileged legacy OAuth integration credential granting bulk Salesforce access across ~195 customer orgs — reinforcing the standing action: audit and revoke dormant Connected Apps with export scopes, and alert on anomalous bulk ReportExport/API activity from integration service accounts.