A stale credential just bled 13.9 million Salesforce records. Huntress, LastPass, Recorded Future all hit.

A competitive intelligence vendor your sales team probably uses just became the biggest SaaS supply chain breach of 2026.

Klue was compromised on June 11 through a credential that was created for a prototype integration — and never decommissioned.

The attacker stole OAuth tokens for Salesforce, Gong, HubSpot, SharePoint, and Slack.

Then they exfiltrated CRM data through the Salesforce REST API.

One victim lost 13.9 million records in a single overnight burst.

Huntress, Recorded Future, LastPass, and Tanium all confirmed they were hit.

The data stolen includes business contacts, price quotes, subscription details, and sales communications.

A new criminal group called Icarus — active since April — is claiming responsibility.

They're now extortion-emailing the victims with 48-hour deadlines.

Here's what should alarm every CISO:

The stale credential had permission to change code.

Klue's own platform was the pivot point — not Salesforce, not Gong, not Slack.

One forgotten integration token gave the attacker the keys to every connected SaaS environment.

Your security team audits firewalls, endpoints, and identity providers.

But when was the last time you audited every OAuth token granted to every third-party integration across your SaaS stack?

Audit every third-party integration token in your Salesforce, HubSpot, and Gong environments today.

Kill any credential you cannot explain.

If you can't account for it, assume it's already compromised.

SOURCE: https://www.obsidiansecurity.com/blog/icarus-klue-salesforce-integration-supply-chain-attack
VERIFIED: Obsidian Security (June 25-26), Huntress (June 18), Cybersecurity Dive (June 23), Datadog Security Labs (June 22)
SIGNAL: This is the attack pattern that will define 2026 — compromised SaaS integrations as the entry point, not phishing, not vulnerabilities. Every enterprise with third-party OAuth connections is exposed.