Attack Chain
🎯
Icarus
Threat actor behind the breach
threat actor
compromises
🔗
Klue Integration
Holds OAuth credentials for customer Salesforce orgs
supply chain vector
uses stolen credentials to query
multiple customer orgs
☁️
Customer Salesforce orgs
Attacker bulk-queries each connected org's CRM data via REST API
REST API
exfiltrates
from each victim org
💾
CRM Data
Contact info, opportunity notes, business data
staged for extortion
Datadog Security Labs
Incident Timeline
Attacker activity Klue response
June 112026
12:56 UTC
Anomalous activity begins
First anomalous behavior observed in Klue's integration infrastructure.
June 122026
Intrusion detected
Klue identifies unusual connections from external IPs. Salesforce access cut to stop further exfiltration.
June 132026
Credentials revoked
Klue revokes OAuth credentials for all customers, disables integrations, and sends a general customer alert.
June 162026
Extortion campaign begins
Affected organizations receive a "top secret email" with a 48-hour deadline to contact the actor over an encrypted messaging app.
June 192026
Klue listed on leak site
Icarus officially lists Klue on their leak site.
Datadog Security Labs