Update: 6/24/26 @ 8:15 PM ET
We are aware of new activity related to the Klue incident and are continuing to monitor the situation closely. A separate unauthorized party has claimed access to data associated with the incident and has made statements regarding potential disclosure. At this time, these claims remain unverified, and our team is actively investigating in coordination with security researchers.
The unverified claims include stated plans to publish sample information about companies that have engaged with the original Icarus threat actor, and includes the names of nearly 200 companies. Following that, the unauthorized party claims that information about the victims will be released daily, unless a “compromise” is made.
We will provide further updates as new information becomes available.
———
Update: 6/22/26 @ 11:45 PM ET
Publication of Stolen Data From Klue Breach
On June 22, Icarus listed data for Huntress and several other companies that were impacted by the Klue breach on its data leak website.
Tom Lawrence, Community Growth Strategist, shares recommendations to help prepare other businesses and individuals who have potentially been wrapped up in Klue’s breach.
Huntress has investigated the data that was posted and can confirm that it is in line with the scope of information that we previously shared. The files for Huntress are limited to Salesforce data, which includes business contact information (e.g., full names, work emails, job title, phone number, and business addresses), business names, products trialed/used, subscription details (units, pricing), and sales-related communications (such as price quotes, contacts, and tasks) with Huntress customers and partners, as well as opportunity notes (i.e., free form fields where teammates can capture and track thoughts and next steps).
As expected, no data associated with Huntress products or infrastructure, or any telemetry, passwords, or payment card data was impacted, based on current evidence.
Figure 1b: The Icarus data leak site with data listed from companies on June 22, 2026
Technical Analysis of the Data
Further investigation determined that many of the file headers listed were misleading. The specific contents of those files displayed only non-sensitive system logs and routine application metadata, and did not include customer information.
Some filenames may also appear concerning at first glance. For example, a file named stripeGC_Stripe_Account_c.json was included in the dataset. Although the filename references Stripe, the associated integration had been installed but never implemented or actively used by Huntress. As a result, the file contained only limited metadata fields such as CreatedDate and LastModifiedDate and did not contain customer payment or credit card information.
We believe this occurred because the threat actors conducted a bulk export of all accessible data, regardless of whether the files contained meaningful business or customer information. As a result, many of the files included in the dataset contained only benign system information or logs.
Figure 2a: Details of Stripe .json file obtained from Klue breach
Once the data was published on the leak site, Huntress researchers quickly flagged the data dump internally and pulled down the files to begin investigating and reviewing the data. The IP address that hosted the data leak files originates from an autonomous system number (AS200593) that is registered under the organizational name PROSPERO OOO and registered in the Russian Federation. AS200593 has been flagged by previous security researchers and carries a Censys BULLETPROOF designation. We have shared this clearnet IP address with the appropriate law enforcement agencies.
What We Expect to Come Next
As previously mentioned, other companies have made statements about being impacted by the Klue breach. Data relating to many of these companies has not been posted as of yet.
Based on current activity, we anticipate that additional organizations may be impacted as this situation continues to evolve. Here are some steps that we hope can further help prepare businesses and individuals that have been impacted by the Klue breach:
- With the public data of impacted Klue downstream customers now actively being leaked, we strongly recommend against going digging through the raw leaked dataset. Accessing raw compromised data is risky as leak archives are often laced with malware. There are other, safer protective steps that individuals can take to verify their inclusion in the data: instead, confirm what was taken through your incident response team, your counsel, and a trusted intel partner.
- The threat actor will likely continue to post the data of the companies that it compromised from the Klue breach. Icarus will also likely continue to put pressure on impacted organizations to pay a ransom in exchange for not releasing their data. It’s important to remember that cybercriminals shouldn’t be trusted, and that should be a consideration in any sort of negotiation.
- In the coming weeks, impacted companies should keep a look out for potential phishing campaigns that use compromised, sales-specific data. Cybercriminals may pose as employees from Huntress or other impacted Klue customers and use stolen data to try to launch further attacks. Continue to use trusted and known channels for updates and communication.
We are continuing to investigate this incident and will post more details as they become available.
———
Update: 6/19/26 @ 4:10 PM ET
Quick update as we continue internal and external investigation with our DFIR.
We would like to reiterate that NO Huntress products, infrastructure, telemetry, passwords, or payment card data were impacted.
To confirm, the impacted data may consist of business names, products trialed/used, subscription details (units, pricing), business contact info (e.g., full names, work emails, job title, phone number, and business addresses), marketing/sales communications, and opportunity notes (i.e., free form fields where teammates can capture and track thoughts and next steps).
We will continue to conduct our internal and external investigation, and as always, will provide more details as they become available.
———
Update: 6/19/26 @ 9:45 AM ET
Klue Listed on Icarus’ Leak Site
Icarus has officially listed Klue as one of their casualties. There is no download link provided as of yet and the size is listed as “-1GB”. This appears to confirm the attribution of who was behind the original attack, however.
Figure 1a: Screenshot from Icarus’ leak site
Text from the screenshot is as follows, misspellings intact:
Description
As you've probably already heard, Klue.com has been impacted by us recently. A number of other companies' Salesforce instances, which were partners to Klue, were exfiltrated.
This leak/post is made to address this.
We advice Klue to contact us for a swift resolution, in order not to affect the companies you work with.
On the other note, if Klue doesnt want to accommodate this request, we advice the companies who want to protect their data to contact us via Session.
In order to verify you're a representative of the company you claim to be, you will need to provide a certain value/field from a row on your SF.
We wish for your cooperation, not your demise. Make the correct choice.
Data Compromised
data borrowed - not stolen
No download links
Official Statements from Affected Companies
Klue has released an official update on the incident. Also other security vendors, such as Recorded Future, Tanium, and Jamf have since stepped forward and released official statements on how they’ve been impacted. We expect there will be more statements released as others who are affected verify which data may have been touched or taken by the attackers.
Right now it remains unclear if other impacted companies (other than Klue) will be listed on the leak site at a later date.
———
*Editor’s note: On June 23, we clarified information regarding Huntress employee contact information accessed from Gong, and conversational data stored in Salesforce.
Throughout 2026, the cybersecurity industry has seen a new surge of software supply chain attacks, presented in many shapes and sizes. We at Huntress have been a constant advocates of the mantra: it’s not a matter of if, or even when, an incident occurs -- but how you respond.
We want to be transparent about a major supply chain attack that happened this week, which impacted us and other organizations. It supports our core values to put the community and transparency first. In this blog we will share what we know about the Klue incident, what we know about our incident, and what we know about the threat actor.
As the industry works to understand the scope/impact of this incident, we are committed to working with Klue and others to communicate what happened and how impacted partners and customers can protect themselves.
This post will continue to be updated as we have more information. Read on for our full report.
—
TL;DR: A threat actor compromised and exfiltrated data from customers of Klue, a market intelligence platform. Huntress is one of those customers of Klue, as are several other cybersecurity companies. Huntress believes in radical transparency about security incidents, including when it affects our company. The data that was copied from our Salesforce account includes business contacts, price quotes, and other sales-related data and messaging. No threat data, passwords, payment card information, or engineering data relating to the Huntress agent or telemetry we collect was affected. To be clear, Huntress found no indication of impact to Huntress products or infrastructure, and this incident was specific to CRM data.
—
Over the past week, a threat actor compromised some backend systems used by Klue, a market intelligence platform that provides services to a number of companies, including Huntress.
Klue's compromise began on June 11, when some anomalous behavior took place in a system that connects with various integrations to other software platforms. The attackers pushed a code update capable of collecting OAuth tokens Klue’s customers use to connect Klue to their own systems.
From what was shared by Klue, they became aware of the anomalous behavior the following day, and took note of unusual network connections to what were later identified to be IP addresses the threat actor was using to remotely connect to the Klue backend servers and execute commands. Klue has been forthcoming with regular updates on the situation posted to their website (a Klue account is required to read the notification).
Klue rapidly deactivated the OAuth credentials for all customers, and temporarily disabled its integrations with the following services while they investigated the incident:
- Salesforce
- HubSpot
- SharePoint
- Zoom
- Gong
- Chorus
- Clari
- Google Drive
- Slack App
Klue staff disabled the remote access and removed the token-theft code from their servers, and issued a general alert to customers on June 13, which did not indicate which customers were impacted. But on June 16, emails began to appear in the inboxes of some Huntress staff with the subject line “top secret email” and a warning: “Your data has been downloaded…You have 48 hours to communicate with us.”
Figure 1: One of the initial email messages received by Huntress staff
Huntress now understands that the threat actor seems to have leveraged a long-disused but still active credential to conduct the initial compromise – one that was originally created by Klue for them to prototype a third-party integration they later abandoned. The threat actor then pivoted into Klue’s infrastructure to steal the tokens used by Klue’s customers, then used those stolen credentials to query those customers’ CRM tools directly and, eventually, to exfiltrate the data.
It was, in essence, a case of the security domino effect, where one compromise led to a chain of follow-on compromises - which included Huntress, among many other Klue customers.
The conclusions detailed in this article were the result of an investigation of various service logs reviewed alongside the IOCs provided by Klue. We performed a similar investigation across logs available from other potentially impacted services, given the nature of the access facilitated by the credentials the threat actor retrieved.
We recommend the following actions to facilitate your own investigation:
|
Action Taken |
Insights | |
|
1 |
Review available logs for known IOCs |
Review the IOCs provided by Klue, and cross-reference log data from Salesforce, Klue, and other potentially affected Oauth applications configured through Klue. |
|
2 |
Request missing logs from vendors |
Some services may not have API/access logs readily available. We recommend contacting vendors to request missing logs, clarifying that they are part of an active security investigation. Note that response times will vary depending on vendor SLAs and support contracts, and may be on the order of hours. |
|
3 |
Consider revoking sessions for affected services |
As this scenario was predicated on harvested credentials, revoking service integrations may be insufficient for remediation. It is recommended that you consider revoking all active sessions for known-affected services in order to invalidate any potentially compromised sessions. A more tactical action may be feasible (e.g. individual known-compromised credentials) depending on your investigation. |
|
4 |
Review email inboxes & spam folders |
The threat actor’s emails may have been delivered, but have arrived in Spam folders. Inboxes should be reviewed for communications related to the IOC domains or similar phrasing in the email body. If identified, you may wish to remove those emails from inboxes, but it is recommended to retain them for forensic purposes. |
|
5 |
Consider engaging cyber insurance provider(s) |
If you believe you were exposed, you may wish to engage your cyber insurance provider to assist with investigation, remediation, and after-action items. These may vary significantly based on the scope of impact. |
-
Review available logs for known IOCs
Review the IOCs provided by Klue, and cross-reference log data from Salesforce, Klue, and other potentially affected Oauth applications configured through Klue. -
Request missing logs from vendors
Some services may not have API/access logs readily available. We recommend contacting vendors to request missing logs, clarifying that they are part of an active security investigation. Note that response times will vary depending on vendor SLAs and support contracts, and may be on the order of hours. -
Consider revoking sessions for affected services
As this scenario was predicated on harvested credentials, revoking service integrations may be insufficient for remediation. It is recommended that you consider revoking all active sessions for known-affected services in order to invalidate any potentially compromised sessions. A more tactical action may be feasible (e.g. individual known-compromised credentials) depending on your investigation. -
Review email inboxes & spam folders
The threat actor’s emails may have been delivered, but have arrived in Spam folders. Inboxes should be reviewed for communications related to the IOC domains or similar phrasing in the email body. If identified, you may wish to remove those emails from inboxes, but it is recommended to retain them for forensic purposes. -
Consider engaging cyber insurance provider(s)
If you believe you were exposed, you may wish to engage your cyber insurance provider to assist with investigation, remediation, and after-action items. These may vary significantly based on the scope of impact.
The exfiltrated data appears to be contact information and sales-related communications (price quotes, contacts, tasks, conversational data, and the like) with Huntress customers and partners, some product pricing data, and competitive market reports. None of the compromised data contained threat intelligence or the kinds of telemetry our tools collect. Credentials that belong to Huntress customers and partners, the organizations Huntress protects, and employees, were not compromised. The Huntress product was also not affected. There is no indication that the threat actor had access to payment information or PCI data.
Indicators of Klue Compromise
Klue’s notification on the breach includes a “non-exhaustive” list of IP addresses from which the threat actor is known to have accessed sensitive information. Those IP addresses are:
138.226.246[.]94
212.86.125[.]24
213.111.148[.]90
94.154.32[.]160
The IPs belong to ISPs based in the Netherlands, France, and Ukraine. Only one of the four IP addresses has a history of threat activity. The 138.226.246[.]94 address is connected to spam campaigns from March 2026.
Figure 2: The IP addresses were not previously connected to major threat actor activity. Source: VirusTotal.
The threat actor has historically provided samples of the exfiltrated data on the dead-drop site gofile[.]io.
According to Klue, some of the affected companies report that data associated with Salesforce and Gong were successfully exfiltrated. Huntress’ integration with Klue involved Salesforce and Gong data.
In order to make the affirmative determination of compromise, Huntress’ security team obtained logs of queries from Salesforce and Gong and searched the logs for the telltale indicators of data retrieval. This review determined that certain partner and customer data was obtained from Salesforce, while only internal Huntress employee information was accessed within Gong. Huntress employees, as well as affected partners and customers, have been promptly made aware. .
Most (effectively all) of the malicious requests to SFDC target /services/data/v59.0/query/<STRING> and nearly all have a User-Agent of 5238 or a blank value, though there are some outliers, such as these Python User-Agent strings used in nearly 900 of the queries (cumulative count on the left-hand side):
811 "Python-urllib/3.12"
58 "Python-urllib/3.14"
Investigating our Adversary
The threat actor sent an initial email to multiple different current and former Huntress employees indicating that “your data was exfiled due to a breach happening to your partner, Klue.com (ask them).” (sic)
The threat actor provided a unique key to use with a secure communications platform called Session, and instructed the recipient to “do the right decision. xoxo” (sic)
However, 38 minutes after the first message, those same staffers received a follow-up email from the same sender that simply read “wrong session lol” and had a different key. Both messages were sent by someone who refers to themselves as mr bean. The second message was signed mb. (Possibly to mean “mr bean,” or a shorthand for “my bad.”)
Figure 3: The “wrong session lol” email came about an hour later
These emails originated from one of three distinct mail domains:
- house.com.au
- robinskitchen.com.au
- baccarat.com.au
Each of these companies is a subsidiary of “Global Retail Brands,” an Australian retailer of home goods and appliances. Huntress believes the adversary leveraged the mail server used by these companies as compromised infrastructure. (Huntress provided the Australian Cyber Security Centre with information so they could notify the company of this abuse of their own infrastructure.) The message headers contained valid SPF and DMARC values, indicating the messages were actually sent by the real mail server(s) for those domains, and weren’t forged.
In the initial email, the adversary suggests, “we advice you to write to us on Session” (sic). The Session Messenger ID that they provided matched the same values included on the dark web leak site of a new extortion group dubbed “Icarus.”
Figure 4: Information from the Icarus actor on their website
The Icarus actor states on their website that they have been active since April 28, 2026, and they currently list two previous victims. The first victim entry corresponds to an intrusion in early May of 2026, with an additional message included in the “News” section dated May 5, with the text “shawty sorry for leaking ur data. dm to resolve. <3”
This first victim entry includes buttons for “Part 1” and “Part 2” of the alleged leaked data, with external links to gofile[.]io. Gofile states within their FAQ that hosted content is stored by default for 10 days, while Premium paid accounts offer long-term storage. At the time of writing on June 17, the Gofile-hosted content referenced in the Icarus victim listing is not available.
Figure 5: The Gofile-hosted content was not available as of June 17
The second victim entry is “pending” for release, however, the text description suggests the files that would be published contain specifically Salesforce data. This entry was first seen on June 16, aligning with the timeline of the current situation. When it was first published, the page included another Session Messenger ID value that matched the ID provided in the initial extortion email. We observed the page later changed to instead include the second Session Messenger ID value that was provided in the actor’s follow-up email correction.
With those matching data points we have high confidence that the Icarus actor is responsible for the Klue compromise and this supply chain attack. The latest message on their “News” section, dated June 12, states: “get ready; big corps getting listed. be ready”.
Figure 6: The latest note from the Icarus threat actor in the “News” section of their website
What's next
We are in direct contact with leadership at Klue and we have engaged the appropriate incident response teams. As this story unfolds, we will continue to share relevant details of this incident in full transparency -- that’s just what we do at Huntress.
Klue and the other impacted organizations were victims of a crime. Our industry sits within a fragile ecosystem where supply chain risk means that any organization can be affected by upstream effects -- that can occur without any fault of their own.
This is not the end of this story. We will continue to update this blog as we find more information that enables you to have full context: for Klue, for Huntress, for the many other organizations that will soon speak out that they have been affected -- and for the community.