Market intelligence platform Klue suffers a supply-chain breach affecting major cybersecurity clients, triggering chaotic extortion threats from rival hackers.
A sophisticated supply chain cyberattack targeting the Vancouver-based competitive intelligence platform Klue has triggered a chaotic chain reaction in the enterprise software ecosystem. The breach, which compromised OAuth tokens to steal customer data, has affected a range of high-profile tech and cybersecurity firms. However, the situation has taken a remarkably bizarre turn as multiple distinct cybercriminal entities argue over the stolen data, with one group claiming to delete it, while others continue issuing active extortion threats.
The incident highlights the unique vulnerabilities inherent in non-human identities and automated software integrations. While Klue noted that the original threat actors claimed to have wiped their copies of the stolen repository, a secondary tier of digital extortionists has emerged to threaten affected enterprises, demanding ransom payouts before a looming deadline.
Anatomy of the OAuth Token Abuse
The security failure traces back to June 11, 2026, when malicious actors successfully infiltrated Klue’s backend infrastructure using a legacy integration credential dating back to a 2022 pilot project. Once inside Klue’s architecture, the hackers pushed a malicious code update specifically engineered to harvest OAuth tokens, digital keys that allow Klue to securely interact with third-party software without needing raw passwords.
By stealing these high-level authorization tokens, the hackers were able to masquerade as the trusted Klue application. They bypassed traditional perimeter defenses to access customers’ Customer Relationship Management (CRM) environments, specifically targeting Salesforce and Gong instances. According to certain analysis, the automated attackers executed a high-velocity script, querying and pulling large volumes of data within short, sustained extraction windows before the malicious activity could be contained.
See Also:https://www.techregard.com/how-russia-weaponized-cellebrite-tools-against-dissidents/
Major Security Vendors Disclose Impacts
Because Klue’s “Battlecards” and market data services are widely utilized across the tech industry, the breach created a swift domino effect. At least 13 major enterprise clients have stepped forward to confirm that their Salesforce data fields were compromised, including several prominent cybersecurity operations:
-
Huntress
-
Recorded Future
-
Tanium
-
HackerOne
-
LastPass
-
Snyk
In customer-facing advisories, the affected firms emphasized that no primary products, code repositories, user passwords, or sensitive telemetry data were touched. Instead, the stolen records consist of business-level CRM fields: client contact names, email addresses, product subscription tiers, pricing quotes, and historical sales communications. While not containing deep network vulnerabilities, security professionals warn that this exact type of corporate directory info is highly valuable for crafting ultra-targeted phishing and social engineering campaigns.
Exploding Extortion Demands and Rival Hackers
The narrative surrounding the breach shifted from standard corporate espionage into a complex extortion maze. The primary attack has been confidently attributed to Icarus, a cyber-extortion group that emerged onto the threat landscape in early 2026. Representatives from Huntress noted receiving messages from a hacker using the moniker “Mr Bean,” pointing directly to communication lines operated by the Icarus syndicate.
In an unprecedented twist, Klue reported that certain data-handling criminal elements claimed they had deleted the stolen tranches of corporate data. Yet almost immediately, other fractured threat groups began recycling the exfiltrated datasets to double down on secondary extortion efforts. Impacted teams reported receiving high-pressure emails warning that their downloaded Salesforce logs would be publicly posted to dark web forums if negotiations were ignored.
In response, Klue CEO Jason Smith confirmed the company has engaged digital forensics powerhouse CrowdStrike to fully scrub its integration channels, revoke all valid OAuth tokens, and assist law enforcement teams. Salesforce has also taken the preventative step of entirely disabling the Klue Battlecards application across its global marketplace to halt any further unauthorized lateral movement. The event stands as a stark warning to modern organizations regarding the severe cascading risks tied to unmonitored third-party vendor access.
About the Author
Jennifer Sakmufuwo Baba is a tech analyst and writer covering artificial intelligence, fintech, and emerging technologies at TechRegard. Based in Nigeria, she's passionate about translating complex tech developments into compelling, accessible stories for diverse audiences. Her work focuses on how technology shapes innovation across Africa and globally.
