Klue Supply Chain Attack: How One Compromised Credential Breached LastPass, Huntress, and More

The Domino Effect

In what Huntress described as a "security domino effect," a single compromised credential at Vancouver-based Klue led to data breaches at multiple cybersecurity and technology companies, including LastPass, Huntress, Recorded Future, Tanium, Jamf, and Sprout Social.

How the Attack Happened

The Root Cause

The breach was traced to a credential created for a limited pilot project in 2022 — a legacy integration that was never properly decommissioned.

The Attack Chain

1. Attackers compromised the legacy credential

2. Used it to access OAuth tokens Klue held for customers

3. Leveraged tokens to access Salesforce environments

4. Exfiltrated CRM data including customer names, emails, phone numbers, and support cases

The Extortion Group

The Icarus extortion group, active since late April 2026, claimed responsibility. They threatened to publish stolen data if companies didn't pay ransoms.

Victims of the Klue Breach

|---------|--------------|

Why This Matters

1. Supply Chain Risk is Real

One compromised vendor can cascade into dozens of breaches. Klue's integration with Salesforce and Gong created a single point of failure.

2. Legacy Credentials are Dangerous

A pilot project from 2022 became the attack vector. How many forgotten integrations does your organization have?

3. Security Vendors Aren't Immune

Companies that sell security products were themselves victims. This should concern every customer who trusted them with their data.

4. OAuth Tokens are High-Value Targets

Once attackers have OAuth tokens, they can access connected services without needing passwords.

Lessons for Your Organization

Audit Third-Party Integrations

Credential Management

Incident Response

How to Check Your Exposure

Use Vaarta.space to scan your domain for security misconfigurations that could make you vulnerable to similar attacks.

[Free domain security scan](https://vaarta.space)