[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$frCxp-WVbir6AaToz0BsUElByEOV1Qhbde2irHMcQXls":3},{"article":4,"iocs":51},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":28,"category":29,"article_tags":33},"81d30319-4093-4e3a-9d35-e1cb97fe0a45","More Klue Breach Victims Identified as Hackers Get Hacked","more-klue-breach-victims-identified-as-hackers-get-hacked-51c556","Roughly two dozen companies have notified their customers of the Klue-Salesforce incident impact. The post More Klue Breach Victims Identified as Hackers Get Hacked appeared first on SecurityWeek.","Klue, a market intelligence platform, suffered a supply chain attack where hackers used compromised credentials to access customer data and OAuth tokens. The threat actor, Icarus, claimed responsibility and threatened to leak data, but Klue claims to be negotiating. In a twist, Icarus was reportedly hacked, and the stolen data is now with a new extortionist group.","Klue breach victims identified; hackers hacked, data now with new threat actor.","Roughly two dozen Klue customers have come forward and confirmed that their Salesforce instances were compromised in a supply chain attack earlier this month. The attack unfolded between June 11 and 12, when hackers used compromised legacy credentials to access the market intelligence platform Klue, obtain OAuth tokens for customers’ Klue integrations, and exfiltrate data in bulk. Salesforce disabled the Klue integration on June 17, and its status page shows it has yet to re-enable it. Gong also disabled the integration. The list of impacted organizations also includes AlertMedia, Blackbaud (requires authentication), Camunda, Cresta, Deel, Lucanet, Link11, and Tines. Klue has hundreds of customers and the blast radius could be wider, but SecurityWeek has not seen other notifications regarding the incident. It should also be noted that some Klue customers, such as Autodesk, might not use the Salesforce integration with Klue and were not affected. The attack was claimed by a threat actor named Icarus, which added Klue and several of its customers to a Tor-based leak site, threatening to leak the stolen information – mainly business contact and support data – unless a ransom was paid.Advertisement. Scroll to continue reading. Klue confirmed the data breach on Monday, saying it was investigating it, but has yet to publicly share updates on the findings. In the meantime, however, the market research firm has notified its customers privately that it has been in contact with the threat actor, which started deleting the stolen data, TechCrunch reports. Icarus’s leak site has been unavailable for the past couple of days, likely as a result of the negotiations with Klue, which suggests that the company might have paid up. Additionally, Klue reportedly told customers that Icarus themselves were hacked, and that the stolen data is now in the hands of another threat actor, which is running its own extortion campaign. The incident allegedly affects 195 Klue customers, but the second group supposedly stole only sample data from Icarus. No known extortion group other than Icarus appears to have publicly claimed possession of data stolen during the Klue incident. SecurityWeek has emailed Klue for a statement and will update this article if the company responds. Related: Canadian Electricity Provider London Hydro Discloses Data Breach Related: Xsolis Data Breach Affects 1.4 Million Individuals Related: Texas Parks & Wildlife Data Breach Affects 3 Million Individuals Related: Kodak Admits Data Breach After ShinyHunters Hack Claims Written By Ionut Arghire Ionut Arghire is an international correspondent for SecurityWeek. Daily Briefing Newsletter Subscribe to the SecurityWeek Email Briefing for the latest cybersecurity threats, trends, and expert insights. More from Ionut Arghire Runlayer Raises $30 Million in Series A FundingGitLab Patches Code Execution, Information Disclosure Vulnerabilities25-Year-Old Vulnerability Patched in CurlNIST Opens Updated IoT Security Guidance to Public ReviewChrome 149 Update Resolves 18 Severe VulnerabilitiesCritical Ubiquiti Vulnerabilities in Attackers’ CrosshairsNew ‘Mistic’ RAT Opens Door to Several Ransomware FamiliesExploitable CI\u002FCD Vulnerabilities Expose Millions of Repositories to Hijacking Latest News Amazon Q Flaw Enabled Cloud Credential Theft via Malicious RepositoriesIn Other News: Chinese Mythos-Like AI, Tata Electronics Breach, Snyk LayoffsNebulock Raises $25 Million for AI-Native Contextual SecurityLinux Foundation Unveils New Open Source Security Project Akrites$3 Million Reportedly Stolen in Polymarket HackRussian APT Deploys ‘StockStay’ Backdoor Against Ukrainian TargetsFirst-Ever Exploitation of PTC Windchill Vulnerability Discovered in the WildNew Enterprise-Ready MCP Specification Brings New Security Challenges Trending Daily Briefing NewsletterSubscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts. Webinar: Why Email Security Keeps Failing (And What Has to Change) July 8, 2026 Join this live webinar as we break down why email-layer defenses alone can't keep pace with the modern phishing ecosystem, how agentic AI is changing the capacity equation for security teams, and more. Register Virtual Event: 2026 Cloud Security Summit July 16, 2026 This year's summit will help organizations learn how to utilize tools, controls, and design models needed to properly secure cloud environments. Interact with leading solution providers and other end users facing similar challenges in securing a variety of cloud deployments. Register People on the MoveMark Carter has been appointed Chief Information Security Officer at Socure.Spektrum Labs has named Mark Cravotta Chief Operating Officer.Philip Martin has joined Uber as Chief Information Security Officer.More People On The MoveExpert Insights When Information Becomes the Attack Surface – Understanding AI Agent Traps From hidden content injections to cognitive state poisoning, attackers are turning trusted data sources into traps for autonomous AI. (Etay Maor) What the Latest ShinyHunters Breaches Reveal About Modern Cyberattacks Groups like ShinyHunters are demonstrating that attackers do not necessarily need malware or zero-day exploits to cause massive damage. (Torsten George) No Exploits Required Four decades of incident response experience suggest that exploits are often the symptom, not the root cause, of today’s cybersecurity failures. (Tod Beardsley) After AI Reaches Production: 12 Ways Security Teams Can Take Control Security teams need more than visibility into AI applications, they need a repeatable framework for monitoring, investigating, and defending them in production. (Joshua Goldfarb) Everybody Is Vibe Coding But Nobody Told the Security Team AI-driven development is not something organizations can or should block. But it must be governed. (Danelle Au) Flipboard Reddit Whatsapp Whatsapp Email","https:\u002F\u002Fwww.securityweek.com\u002Fmore-klue-breach-victims-identified-as-hackers-get-hacked\u002F","https:\u002F\u002Fwww.securityweek.com\u002Fwp-content\u002Fuploads\u002F2026\u002F06\u002Fsupply-chain-threat.webp","2026-06-26T15:01:33+00:00","2026-06-26T16:00:19.683229+00:00",8,[18,21,23,26],{"name":19,"type":20},"Salesforce","product",{"name":22,"type":20},"Klue",{"name":24,"type":25},"Icarus","threat_actor",{"name":22,"type":27},"vendor","2e06f76c-d5b9-4f54-9eef-4d3447b10730",{"id":28,"icon":30,"name":31,"slug":32},null,"Breaches","breaches",[34,39,41,46],{"category":35},{"id":36,"icon":30,"name":37,"slug":38},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":40},{"id":28,"icon":30,"name":31,"slug":32},{"category":42},{"id":43,"icon":30,"name":44,"slug":45},"7d8b5ab8-ea0b-4ced-ae97-ec251b86993a","Ransomware","ransomware",{"category":47},{"id":48,"icon":30,"name":49,"slug":50},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[52],{"type":53,"value":24,"context":54},"malware","Threat actor claiming responsibility for the Klue breach and subsequent data extortion."]