Market intelligence platform Klue identified unauthorised activity within its integration infrastructure on 11 June 2026, leading to the theft of OAuth tokens used to connect customer environments - most notably Salesforce. Attackers gained initial access through an old, unused testing credential that remained active, then pivoted to Klue's integration systems and deployed token-theft code to harvest customer OAuth tokens. With those tokens, they were able to access and exfiltrate data from connected Salesforce instances belonging to multiple downstream organisations.
The stolen data primarily consisted of business contacts, sales communications, pricing information, and opportunity notes drawn from customers' Salesforce environments. Affected organisations reported to date include Huntress, Recorded Future, Tanium, Jamf, Sprout Social, Gong, Insurity, and - confirmed on 24 June - LastPass. The newly emerged Icarus extortion group has claimed responsibility, pressuring victims through extortion emails and a leak site. Salesforce disabled Klue's integration infrastructure on 17 June 2026 to halt the unauthorised access, clarifying that the issue was confined to Klue and did not stem from a vulnerability in the Salesforce platform itself.
The attack is a textbook illustration of how SaaS supply-chain compromises now unfold. The vulnerability was not in the core platform but in the trusted connective tissue between applications - the OAuth tokens that allow third-party tools to read and write data on a customer's behalf. Because those tokens carry standing authorisation, a single compromised integration vendor can become a gateway to the data of every organisation that connected it. The forgotten legacy credential at the root of the incident is a recurring theme in supply-chain breaches: dormant access that was never decommissioned and never monitored.
For organisations that rely on interconnected SaaS tools, the incident reinforces that third-party risk extends to the integrations themselves, not just the headline processors. OAuth grants, API connections, and the vendors behind them form part of the data processing chain, and a breach there triggers the same controller obligations as any other - including, where personal data is affected, assessment against the GDPR notification threshold.
Acompli perspective: When a breach enters through a connected SaaS integration, the regulatory obligations remain with the organisation whose data was exposed. The questions a regulator will ask are whether the integration was understood, whether the risk was managed, and whether access was monitored and decommissioned when no longer needed. That requires third-party risk assessments that cover SaaS integrations and the OAuth grants they hold - not only the primary processor relationships - supported by records of processing that identify which third parties can access which data, and a risk management framework that treats standing integration access as a live, monitored exposure rather than a one-time procurement decision.