Customer names, phone numbers, physical addresses, and support case contents were among the data stolen from LastPass and at least ten other organizations after attackers compromised Klue, a third-party market intelligence platform, and harvested the OAuth tokens it held on behalf of enterprise clients.
LastPass disclosed on June 23 that hackers gained access to its Salesforce environment using OAuth credentials stolen from Klue, a competitive intelligence vendor integrated with its go-to-market tools.
The attack did not reach LastPass’s own infrastructure or its customers’ encrypted password vaults. Support case records, which can contain account issue details, billing context, and security concerns shared in confidence, were exposed along with standard contact data.
“On June 12th LastPass was made aware of an incident that occurred at Klue,” the company said in its advisory. “An unauthorized actor was able to obtain OAuth tokens Klue held for many of its customers, including LastPass.”
LastPass said it revoked employee access to Klue, rotated the compromised tokens, and notified law enforcement. It published indicators of compromise, including IP addresses and email sender domains tied to the campaign, for use by defenders.
Shifting perimeter: OAuth
For years, the cybersecurity industry has sold the premise that protecting an organization means hardening its perimeter — patching its systems, monitoring its endpoints, securing its accounts. The Klue attack suggests that premise is now dangerously incomplete.
When a single forgotten credential at a competitive intelligence vendor most of its victims’ customers had never heard of can expose the Salesforce environments of HackerOne, Recorded Future, Huntress, and LastPass simultaneously, the perimeter is no longer the boundary worth defending. The boundary is every vendor, every integration, every OAuth token quietly authorized and never reviewed again — and for most organizations, that inventory doesn’t exist.
[See Related: The OAuth Access was Approved. But the AI Agent Chaos was Not]
The Klue attack is not a Salesforce problem. Dormant OAuth grants accumulate across every enterprise platform — as Security Point Break reported this week, Google Workspace carries the same exposure through abandoned app connections that retain access to Gmail, Drive, and AI tools long after employees stop using them.
Klue confirmed on June 19 that an attacker gained entry using a legacy credential created in 2022 for an integration prototype that was later abandoned. The credential was never decommissioned.
Once inside, the attacker pushed a malicious code update to Klue’s integration infrastructure. The update harvested OAuth tokens that Klue’s customers use to connect the platform to Salesforce, Gong, and other business systems. The attacker then used those tokens to impersonate legitimate Klue integrations and query connected Salesforce environments directly.
Salesforce disabled the Klue Battlecards application connection across customer environments on June 17. “This issue is limited to Klue’s app connection and does not arise from a vulnerability within the Salesforce platform,” the company said.
ReliaQuest, which detected the suspicious activity and alerted Klue, published its technical analysis on June 18. Attackers ran automated Python scripts against the Salesforce REST API for roughly 24 hours. One 15-minute window generated nearly a thousand queries — consistent with bulk data extraction, not routine integration traffic.
The culprit
The Icarus extortion group, active since late April 2026, claimed the attack. On June 16, affected organizations began receiving emails with the subject line “top secret email.” The message warned that data had been downloaded and gave recipients 48 hours to make contact. The Session Messenger ID in those emails matched the identifier listed on Icarus’s dark web leak site.
Data began appearing publicly on June 22.
The victim list is striking in its composition. Organizations confirming exposure include HackerOne, Recorded Future, Tanium, Jamf, Gong, Snyk, OneTrust, Sprout Social, Huntress, and Insurity, in addition to LastPass. Gong confirmed the attackers accessed internal licensed user data through its Klue integration, including user names, titles, and email addresses, but said call recordings and customer transcripts were not affected.
“All available evidence suggests that Recorded Future was not specifically targeted and was instead an incidental victim by virtue of utilizing the compromised integration between Salesforce and Klue,” Recorded Future said in its disclosure.
No one on the victim list was singled out. They were simply connected to Klue.
Josh Picolet, VP of Detection and Analysis at Team Cymru, said the attack illustrates a structural problem that perimeter-focused security programs miss entirely. “The most important lesson from the Klue incident is that attackers are increasingly targeting the connective tissue between organizations rather than the organizations themselves,” Picolet said.
“Third-party platforms often sit at the center of large networks of trust, making them attractive targets because a single compromise can create downstream access to dozens or hundreds of victims. Security teams need to understand not only what data they own, but who else can access it and how that access is being secured,” Picolet said.
Not an isolated event
ReliaQuest documented the same OAuth-abuse pattern in two prior Salesforce campaigns. In August 2025, a cluster tracked as UNC6395 used stolen Salesloft Drift tokens to query hundreds of Salesforce environments. In November 2025, the ShinyHunters group used stolen Gainsight access tokens for similar bulk extraction. Each attack exploited the same gap: a trusted third-party integration with persistent, broad access and minimal monitoring.
[See Related: The App You Forgot About Is Still Reading Your Email]
Note: A Telegram account purporting to be ShinyHunters claimed responsibility for the Klue breach on June 21. ReliaQuest said it could not independently verify that account’s authenticity, and Huntress attributed the attack to Icarus based on matching Session Messenger IDs.
Verizon’s 2026 Data Breach Investigations Report placed the trend in statistical relief. Third-party involvement in confirmed breaches jumped 60 percent year over year and now accounts for 48 percent of all breaches, up from 30 percent in 2024. The report identified insecure authentication as the root cause in the majority of those third-party incidents.
Risky business
The immediate risk for affected organizations is social engineering. Stolen support case contents and sales records give attackers the context to make phishing attempts look credible. LastPass warned customers to treat unsolicited contact with heightened suspicion and confirmed it will never ask for a master password.
ReliaQuest recommended that any organization with a Klue–Salesforce integration treat remediation as urgent: revoke and rotate all OAuth tokens and refresh tokens tied to the integration, audit Salesforce API logs for unusual REST query volume, and enforce IP allowlisting for third-party integration accounts. The same checklist applies to any SaaS integration with similar access scope.
“The threat actor will likely continue to post the data of the companies that it compromised from the Klue breach,” Huntress said. “Icarus will also likely continue to put pressure on impacted organizations to pay a ransom.”
