Huntress, Recorded Future, and Tanium just got breached through a vendor you've never audited. 13.9 million Salesforce records walked out the door.

One stale OAuth token. That's all it took.

Klue — a competitive intelligence platform your sales team probably uses — got compromised on June 12.

Attackers found a dormant credential from a prototype integration. No one revoked it. No one monitored it.

They injected backdoor code. Stole every customer OAuth token. Then queried Salesforce directly via REST API for 24 hours straight.

Huntress confirmed hit. Recorded Future confirmed hit. Tanium, Jamf, Sprout Social, Gong, Insurity, OneTrust, Snyk — all confirmed.

One unnamed org lost 13.9 million records. Names, emails, contracts, price quotes, competitive intel.

The attacker is a new group called Icarus. They're already emailing extortion demands.

Here's what should alarm every CISO:

Obsidian caught it because the integration started authenticating from different IPs. Different user agents. Different API version — v59.0 instead of v64.0. Bulk SOQL queries pulling hundreds of objects.

Your SIEM didn't catch it. Your EDR didn't catch it. Klue's own alerts didn't name affected customers for days.

This is the third major SaaS supply chain breach in 12 months. Salesloft Drift. Gainsight. Now Klue.

The pattern is identical every time: stale integration token + over-privileged OAuth scope + zero runtime monitoring = cascading breach across hundreds of downstream customers.

Audit every third-party OAuth app connected to your Salesforce today. Revoke any token you can't explain. If you don't have runtime monitoring on integration behavior, you're already exposed.

SOURCE: https://www.obsidiansecurity.com/blog/icarus-klue-salesforce-integration-supply-chain-attack
VERIFIED: BleepingComputer (June 18-19), TechCrunch (June 22), Huntress investigation report, Recorded Future disclosure, Obsidian Security technical analysis (June 25-26)
SIGNAL: This is the playbook now. One compromised vendor → hundreds of downstream breaches. Your SaaS supply chain is your attack surface.