Safeguard
Software Supply Chain Security

Vendor breach exposure: third-party risk lessons from the Klue incident

A single forgotten credential at Klue exposed Salesforce CRM data at 14+ companies, including Snyk and Huntress—here's what it teaches about vendor risk.

Safeguard Research Team
Research
8 min read

On June 12, 2026, Klue — a competitive intelligence and sales-enablement platform used by hundreds of B2B companies — discovered that an attacker had been sitting inside its integration infrastructure since April 28, roughly six weeks earlier. The intruder had found a long-forgotten API credential tied to a Salesforce integration Klue had prototyped and never shipped, then used it to push a malicious code update into Klue's production integration service. That update quietly harvested OAuth tokens belonging to Klue customers, giving the threat actor — an extortion group calling itself Icarus — direct API access into the Salesforce CRMs of at least 14 confirmed victims, including cybersecurity vendors Huntress, Snyk, Tanium, Recorded Future, HackerOne, LastPass, and BeyondTrust. No Klue password or payment data was touched. The breach didn't start with a firewall gap or a phishing email; it started with a vendor's forgotten credential, and it is a textbook case study in third party vendor breach risk inside a SaaS-integrated enterprise.

What Happened in the Klue Security Incident?

An attacker used a stale, unused credential from an abandoned integration prototype to plant OAuth-token-harvesting code inside Klue's production systems. According to Klue's own disclosure and reporting from CSO Online and The Hacker News, initial access dates back to April 28, 2026, when the attacker found "a long-disused but still active credential" originally created to test a third-party integration that Klue never actually deployed. Rather than exploiting a zero-day or brute-forcing a login, the attacker simply used credentials nobody remembered to revoke. Once inside, they pushed a code update to Klue's integration layer designed to collect OAuth tokens that customers used to connect Klue to Salesforce and other platforms. With those stolen tokens in hand, the attacker ran automated Python scripts against the Salesforce REST API for roughly 24 hours, pulling CRM records directly from customer environments. Salesforce detected unusual activity and disabled the Klue integration around June 11–12; Klue confirmed the intrusion and began revoking tokens and removing unauthorized code the same week. Icarus publicly claimed the breach on June 19, listing Klue on its dark-web leak site.

How Did One Forgotten Credential Cause a Multi-Company Breach?

One credential caused a multi-company breach because it sat inside a shared integration layer with standing OAuth trust relationships to dozens of customer Salesforce orgs simultaneously. Klue's integration service wasn't a single-tenant connector — it was the trusted intermediary that every customer's Salesforce instance had already authorized to read and write CRM data. Compromising that one service was functionally equivalent to compromising the CRM access of every organization that had ever clicked "Allow" on the integration. OAuth tokens don't require the original login credentials, don't always expire on a short cycle, and rarely trigger MFA re-checks once granted — which is exactly why they're such an efficient target. The attacker didn't need 14 separate exploits against 14 separate companies; they needed one abandoned test credential and a code push. This is the structural risk of the modern SaaS-to-SaaS integration model: trust is granted once, broadly, and then largely forgotten until something goes wrong.

Why Does Third-Party Vendor Breach Risk Hit Security Companies Too?

Third-party vendor breach risk hits security companies because sales and marketing teams at security vendors use the same SaaS stack as everyone else, and that stack sits outside the product security perimeter. Huntress, Snyk, Tanium, HackerOne, LastPass, and BeyondTrust all build security products with mature AppSec programs — but their go-to-market teams also connected Klue's Battlecards app to Salesforce for competitive intelligence, the same way a retailer or a fintech would. None of these companies' core products were affected; the exposure ran through the sales org's toolchain, not the engineering pipeline. That distinction matters for a simple reason: vendor risk doesn't respect org charts. A marketing intelligence tool with a forgotten credential can expose customer contact data at a company whose entire business is stopping breaches, because the review process for a "harmless" sales tool is almost always lighter than the review process for infrastructure. Roughly two dozen Klue customers came forward confirming Salesforce data exposure — a reminder that vendor tiering by department, rather than by data access, misses the actual attack surface.

What Data Was Exposed, and How Bad Was It?

The data exposed was CRM metadata and business records, not passwords or payment information, but the scope varied meaningfully by victim. Huntress confirmed exposure of business contacts, price quotes, and sales communications. Recorded Future confirmed client contact names, email addresses, and some contract information. Across the broader victim list, exposed categories included business contact information, subscription and pricing details, support case data, and sales-related CRM records. Salesforce's response illustrates how far the blast radius extended beyond Klue itself: rather than disabling only the Battlecards integration, Salesforce moved to disable a broader set of connected apps as a precaution, including integrations tied to HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack, until each could be re-verified. That's the real cost of an OAuth-token breach — it's not just the one vendor you have to worry about, it's every other integration that shares the same trust model, reviewed on an emergency timeline instead of a planned one.

What Vendor Risk Lessons Does the Klue Incident Teach?

The core lesson is that a vendor risk assessment performed once at signing cannot catch a credential that goes stale eighteen months later. Klue's incident didn't stem from a vendor with a weak SOC 2 report or no security program — it stemmed from operational debris: a credential minted for a project that was never finished and never cleaned up. Four concrete takeaways follow directly from the incident:

  • Inventory every OAuth-connected app, not just "approved" vendors. Klue was a sanctioned, contracted tool at every named victim. The risk wasn't an unauthorized shadow-IT app; it was a fully approved one with excess standing access.
  • Unused credentials and dead integrations are attack surface, not clutter. The exploited credential belonged to a feature that was prototyped and abandoned — nobody revoked it because nobody was thinking about it.
  • OAuth scopes deserve the same scrutiny as IAM roles. A CRM-read-write token granted broadly to a marketing tool is a standing liability that persists long after anyone remembers granting it.
  • Vendor risk needs to be continuous, not point-in-time. Icarus didn't need six months to plan this; they needed one active credential and 24 hours of API access to do damage across a dozen-plus organizations.

How Can Organizations Actually Reduce Third-Party Vendor Breach Risk?

Organizations reduce third-party vendor breach risk by treating every connected integration as a live piece of their attack surface that gets audited on a recurring cadence, not a form filled out once during procurement. In practice, that means running quarterly reviews of every OAuth app with production data access and revoking anything unused for more than 90 days; enforcing least-privilege scopes so a competitive-intelligence tool gets read-only access to the fields it actually needs rather than broad CRM read-write; building credential lifecycle policies that force expiration and rotation on integration tokens the same way they're enforced on service accounts; and contractually requiring vendors to disclose breach timelines within a fixed SLA — Klue's public disclosure came roughly a week after detection, which is a reasonable industry pace but still leaves a window where downstream customers are exposed and unaware. None of this requires exotic tooling. It requires the discipline to treat vendor access as a standing liability that decays if it isn't actively managed, which is precisely the discipline most vendor risk programs skip once the contract is signed.

How Safeguard Helps

Safeguard is built to close the gap the Klue incident exposed: the space between "we approved this vendor" and "we know exactly what that vendor can reach." Safeguard's reachability analysis maps which of your dependencies and integrations actually touch exploitable code paths and sensitive data flows, so a stale credential or an over-scoped OAuth token shows up as a prioritized risk rather than an invisible liability. Griffin AI continuously correlates vendor and dependency changes against your environment to flag anomalous access patterns — like a long-dormant integration credential suddenly being used — before they escalate into an incident. Safeguard also generates and ingests SBOMs across your first- and third-party software estate, giving security teams a living inventory of every connected component instead of a point-in-time vendor questionnaire, and where a fix is available, Safeguard opens auto-fix pull requests directly against affected manifests so remediation doesn't stall waiting on a ticket queue. Together, these capabilities turn vendor risk from an annual checklist into something your team can actually monitor and act on.

Never miss an update

Weekly insights on software supply chain security, delivered to your inbox.