Klue OAuth Attack: How One Legacy Credential Breached Ten Companies
On June 24, 2026, LastPass disclosed that customer contact information — names, email addresses, phone numbers, physical addresses, and support case details — had been exposed through a breach of Klue, a third-party market intelligence vendor. The exposure did not touch customer password vaults, but the incident is notable for reasons beyond LastPass: the same attack hit at least ten other well-known organizations simultaneously, including HackerOne, Huntress, Jamf, Recorded Future, and Snyk.
The root cause is a reminder that keeps not getting learned: a credential created in 2022 for a "limited pilot project" was never retired. Four years later, the Icarus extortion group — active only since April 2026 — found it and used it to walk through the front door.
How Icarus Pulled It Off
Klue is a competitive intelligence platform that integrates with customers' Salesforce CRM and Gong environments to pull in market data. Those integrations require OAuth tokens — effectively long-lived permission slips that say "Klue is allowed to read this system on behalf of the customer." Klue held those tokens inside its own infrastructure.
According to Klue's own disclosure, the attackers first obtained the legacy 2022 credential, which granted access to Klue's integration service layer. From there, Icarus pushed malicious code into that infrastructure to harvest the OAuth tokens stored for customer integrations. With those tokens in hand, the attackers made direct REST API calls against connected Salesforce and Gong instances — enumerating objects and bulk-extracting CRM records — without ever needing to touch LastPass's own systems or authenticate against Salesforce directly. Salesforce has since disabled the Klue app integration while the investigation continues.
Klue detected the intrusion on June 12, publicly disclosed on June 21, and LastPass followed with its own customer notification on June 24. The Icarus group has threatened to publish the stolen data unless a ransom is paid by the end of this week.
LastPass Has Been Here Before
This is not LastPass's first brush with third-party compromise. In late 2022, a breach that began with a developer account escalated when attackers later targeted a DevOps engineer's personal machine through a vulnerable media player package, ultimately accessing cloud backups that contained encrypted customer vaults, billing addresses, and metadata. That incident triggered years of downstream damage — including hundreds of millions of dollars in cryptocurrency theft traced back to cracked master passwords. The 2026 Klue incident is narrower (no vaults, no passwords), but the pattern is familiar: attackers find the softest point, and that is rarely the company itself.
Your Vendors Are Your Attack Surface
The Klue breach is worth studying even if you have never heard of Klue, because the attack model applies to every SaaS tool in your stack. Most businesses grant third-party software ongoing access to their systems — CRM, billing platforms, marketing automation, analytics — through OAuth tokens or long-lived API keys. Those tokens live in the vendor's infrastructure. When the vendor is breached, every customer whose tokens they held becomes a potential victim, regardless of whether that customer had done everything right on their own side.
The specific failure here was a 2022 credential that should have been revoked when the pilot project ended. Stale credentials, unmaintained OAuth grants, and forgotten API keys are endemic across the industry — security teams audit their own systems carefully but rarely audit what access they have granted to others. In this case, a single uncleaned credential cascaded into confirmed breaches across a dozen organizations including several cybersecurity vendors that make their living telling others how to do this right.
What to Do Now
- Audit your OAuth grants today. In Google Workspace, Microsoft 365, Salesforce, and any CRM or productivity suite you run, review connected third-party applications and revoke anything you no longer recognize, actively use, or that holds broader scope than it actually needs.
- Rotate or expire stale API keys and credentials. Any secret created for a pilot or temporary integration that was never revoked is a liability waiting to be found. Use a secrets manager with expiration policies, or at minimum maintain a spreadsheet with creation dates and scheduled reviews.
- Ask vendors how they store your tokens. When onboarding new SaaS tools, ask directly: are OAuth tokens encrypted at rest? What is their incident response SLA? What happens to your tokens if you terminate the contract?
- Minimize OAuth scope aggressively. If a market intelligence tool needs to read account names, it does not need access to full contact records and support case histories. Scope creep in OAuth grants is how small exposures become large breaches.
- Watch for phishing follow-up. If you are a LastPass customer and in the exposed set, Icarus now has your support contact details. Expect spear-phishing attempts using that information as a pretext, including scenarios impersonating LastPass support.
The Bigger Picture
Supply chain attacks are effective precisely because they exploit trust relationships that were built for legitimate reasons and then never re-examined. The Klue incident sits in a long line of predecessors — SolarWinds, Kaseya, MOVEit, 3CX — where compromising one vendor proved more efficient than targeting hundreds of companies individually. What those incidents share is that the breached companies could truthfully say "our systems weren't hacked" while still suffering real damage to customer data, reputation, and trust.
The businesses most exposed are the ones who equate "we weren't directly breached" with "we're fine." Third-party access reviews, credential expiration policies, and OAuth scope audits are not glamorous work, but they are the difference between being a target and being collateral damage in someone else's incident. At Falcon Internet, third-party access hygiene is part of how we manage the environments we're responsible for — because a credential you forgot about is still a credential an attacker can find.
