LastPass has confirmed that customer data was exposed in a supply chain attack against Klue, an AI-powered market intelligence platform used by over 250,000 enterprise users worldwide. The breach, claimed by a newly emerged extortion group called Icarus, exploited OAuth token access to mass-extract CRM records from hundreds of organizations' Salesforce environments simultaneously — a textbook third-party pivot attack.
What Is Klue?
Klue is a competitive intelligence SaaS platform that integrates deeply with enterprise tools including Salesforce, Gong, HubSpot, Slack, Google Drive, Zoom, Chorus, Clari, and SharePoint. Those OAuth integration grants are precisely what the attackers weaponized.
How the Attack Unfolded
Icarus gained initial access to Klue's infrastructure using a compromised legacy credential tied to an integration service account that had been created for a prototype integration and never decommissioned. With that foothold, attackers pushed a malicious code update to Klue's backend that systematically harvested OAuth tokens customers had granted for their Salesforce — and Gong — integrations.
Automated Python-based tooling then queried Salesforce's REST API at scale, enumerating CRM objects via /services/data/v59.0/sobjects and mass-extracting records through /services/data/v59.0/query. Hundreds of Klue customers' Salesforce environments were drained simultaneously within a narrow window.
Timeline of Events
| Date | Event |
|---|---|
| Late April 2026 | Icarus extortion group first appears on the dark web with two prior victims |
| June 11–12, 2026 | Attackers access Klue; malicious code harvests OAuth tokens from customer integrations |
| June 12, 2026 | Klue detects unauthorized activity, notifies customers, revokes credentials, disables integrations |
| June 17, 2026 | Salesforce disables the Klue Battlecards app after detecting unusual OAuth activity |
| June 19, 2026 | Icarus officially lists Klue on its dark web leak site |
| June 22, 2026 | Icarus's publication deadline passes; CEO Jason Smith acknowledges the breach; stolen data begins appearing publicly |
| June 23, 2026 | LastPass publicly discloses its own exposure |
Who Was Affected
Beyond LastPass, at least ten organizations have confirmed Salesforce data was accessed via the Klue breach:
- Huntress — business contacts, price quotes, and sales data
- HackerOne — Salesforce instance data
- Jamf — CRM data (no product or customer service impact)
- OneTrust — customer exposure notification issued
- Recorded Future — client contact names, emails, and potential contract data
- Snyk, Sprout Social, Insurity, Tanium — all confirmed Salesforce data accessed
- Gong — internal licensed user data (names, titles, emails); no call recordings affected
The Register reported the total victim count is in the "hundreds."
What Data Was Exposed
The breach was limited to CRM and business contact data from Salesforce environments. No password vaults, product systems, payment data, or customer master passwords were affected.
Exposed data included:
- Customer names, email addresses, phone numbers, and mailing addresses
- Support case information
- Sales opportunity notes, pricing data, and sales communications
LastPass was explicit: "No one at LastPass will ever ask for your master password. All official communication from LastPass comes through our trusted support channels."
The Icarus Extortion Group
Icarus is a newly emerged financially motivated extortion actor, first seen in late April 2026. Key traits:
- Communication: Session Messenger, using the alias "mr bean"
- Model: Threatens data publication unless victims pay
- Post: On June 12 posted to its leak site: "get ready; big corps getting listed. be ready."
- Huntress assessed with high confidence that Icarus is responsible based on corroborating data points
- No confirmed victims indicated any intent to negotiate
What LastPass and Klue Did
LastPass disabled employee access to Klue, rotated all exposed API and OAuth tokens, launched an internal investigation, notified law enforcement, and engaged its Threat Intelligence, Mitigation, and Escalation (TIME) team to share indicators.
Klue CEO Jason Smith called the incident "a deliberate criminal act," engaged CrowdStrike for forensic investigation, and initiated a full review of credential management and deployment processes.
The Bigger Picture
This breach is a clear example of why SaaS integration sprawl is a growing attack surface. Attackers did not need to breach each victim directly — they compromised one trusted vendor and leveraged its OAuth grants to pivot into hundreds of enterprise environments simultaneously.
The primary risk to affected organizations is now phishing, social engineering, and targeted extortion using stolen CRM contact data. Organizations that granted Klue OAuth access to their Salesforce environments should audit what data was accessible and notify affected personnel accordingly.
Immediate actions: Rotate any OAuth tokens or API credentials previously granted to Klue. Review Salesforce audit logs for unusual API access between June 11–17, 2026. Brief sales and customer-facing teams on elevated social engineering risk.