What Happened
At least nine organisations have confirmed that data was stolen from their Salesforce environments following a supply chain attack on market intelligence platform Klue. The attack began on June 11–12, 2026, when the Icarus extortion group — an emerging criminal actor that launched in April 2026 — gained access to Klue’s integration infrastructure using a compromised legacy service account credential. The attackers pushed a malicious code update that harvested OAuth tokens, the authorisation keys connecting Klue to customers’ third-party platforms.
Using those tokens, the attackers accessed connected Salesforce instances and exfiltrated CRM data including business contacts, sales quotes, competitive intelligence records, and pricing documents. Klue identified the breach on June 12 and immediately revoked affected credentials, disabling integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack.
Confirmed victims include Gong, HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, and Tanium — a list that represents some of the most prominent names in cybersecurity and enterprise SaaS. The Icarus group set June 22 as its deadline for extortion negotiations, threatening to post the stolen data publicly if demands were not met. SecurityWeek
Why This Matters for Canadian Organizations
The Klue incident follows the same structural pattern as the Icarus group’s prior compromise of Klue reported in June 18 coverage — but the victim list has expanded and the data release deadline has arrived. This is no longer a warning; organisations that had not already audited their Klue and Salesforce OAuth connections are now operating with the assumption that data is public.
For Canadian enterprises, this attack raises several immediate concerns. Salesforce is pervasive across Canadian financial services, insurance, telecommunications, legal, and technology sectors. Any organisation using Klue’s Salesforce integration — or any SaaS tool that connected to Salesforce via OAuth — must treat its OAuth token grants as a potential attack surface. The Icarus group’s approach requires no exploitation of a Salesforce vulnerability; a compromised integration partner is sufficient to reach your CRM data.
Under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), organisations are required to report breaches of security safeguards that create a real risk of significant harm. CRM data exfiltration involving business contacts, pricing, and sales intelligence almost certainly meets that threshold for many organisations in regulated sectors. The Office of the Privacy Commissioner expects prompt breach assessment, and the Canadian Centre for Cyber Security (CCCS) tracks supply chain attack patterns of exactly this type. Financial institutions subject to OSFI Guideline B-13 must also assess whether the breach represents a reportable third-party risk incident.
What to Do
Audit all OAuth token grants in your Salesforce environment immediately. Revoke any active grants associated with Klue and review the access scopes granted to all connected third-party applications. Check Salesforce’s Connected Apps and OAuth usage logs for activity between June 11 and June 15. If Klue was connected to your Salesforce instance, treat the data that connection could access as potentially exfiltrated and begin a breach assessment under PIPEDA. Notify your legal and privacy teams. Review your SaaS vendor management process to ensure integration partners receive the same security scrutiny as direct vendors — OAuth access to your CRM is effectively full read access to its contents.
