Back
Back to Blog

Klue Third-Party Incident: Tracking Impacted Organizations

On this page

The compromise of the Klue Battlecards application, a third-party Salesforce integration, continues to affect organizations connected to the platform.

VenariX is actively investigating the campaign and publishing newly identified impacted organizations as they are confirmed.

What Happened?

In June 2026, Klue disclosed a security incident involving its Battlecards Salesforce application. According to Klue, attackers gained access to its integration infrastructure through a compromised GitHub Personal Access Token and deployed malicious code designed to harvest customer OAuth tokens.

The stolen tokens were subsequently used to access Salesforce environments connected to the Klue Battlecards integration.

As part of its response, Salesforce disabled the Klue Battlecards integration and stated that the issue was limited to the third-party application and was not the result of a vulnerability within the Salesforce platform.

Threat Actor Attribution

The activity has been claimed by the threat actor Icarus, who publicly disclosed the incident on its data leak site on June 19, 2026.

1781972813199.png
Screenshot from Icarus' data leak site.

Campaign Scope

A total of 195 organizations were reportedly impacted by this incident. However, VenariX has been able to identify 35 organizations with confirmed impact:

  • 8×8, Inc.

  • ABBYY

  • AlertMedia, Inc.

  • AudienceView

  • BeyondTrust Corp

  • Blackbaud, Inc.

  • Camunda, Inc.

  • Confluent, Inc.

  • ControlUp Technologies Ltd.

  • Cresta Intelligence, Inc.

  • Deel, Inc.

  • eSentire, Inc.

  • Greenhouse Software, Inc.

  • HackerOne

  • Huntress

  • Insurity, LLC

  • Jamf Software, LLC

  • LastPass

  • Link11 GmbH

  • LogicMonitor, Inc.

  • LucaNet AG

  • NetDocuments Software, Inc.

  • OneTrust

  • Pendo.io, Inc.

  • Postman, Inc.

  • Qualtrics, LLC

  • Recorded Future

  • Saviynt, Inc.

  • SentinelOne, Inc.

  • Snyk Ltd.

  • Spashtop, Inc.

  • Sprout Social, Inc.

  • Tanium, Inc.

  • Thinkproject

  • Tines

Track the Campaign in VenariX

VenariX is tracking all related activity under the Klue Battlecards campaign in the VenariX platform. VenariX users can filter incidents by campaign and configure email alerts to stay informed as new impacted organizations are identified.

SCR-20260710-hibz.png
Organizations currently tracked by VenariX in connection with the Klue Battlecards campaign.

What Impacted Organizations Should Watch For

Organizations identified in the campaign should remain alert for phishing and spear-phishing attacks.

Based on confirmed reports, data accessed from affected Salesforce environments may include business contact information, including names, job titles, business email addresses, prospects, and customer relationship data.

Organizations that conduct business with affected entities should also remain vigilant. Threat actors can use this information to craft highly targeted phishing messages that reference legitimate business relationships, ongoing sales opportunities, suppliers, customers, and existing communications. Because the information originates from trusted business systems, these messages may appear more credible than traditional phishing attempts and may be difficult for recipients to distinguish from legitimate correspondence.

VenariX

Every security decision,
backed by real data.

Start with a free plan or try Pro free for one week.