A dormant service account credential at market intelligence platform Klue gave the Icarus extortion group access to Salesforce CRM environments at nine named technology companies, several of which sell security products.
On June 11, 2026, attackers used a legacy credential tied to a service account originally created for a decommissioned third-party integration prototype. Using that foothold inside Klue's infrastructure, they pushed a malicious code update to production that harvested OAuth tokens. Those tokens authorized Klue's connections to customers' Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack instances. Klue identified the access on June 12, revoked the affected credentials, and notified customers the same day.
BleepingComputer reported that Icarus claimed the attack publicly on June 19, listing confirmed victims on its extortion site: HackerOne, Huntress, Jamf, OneTrust, Recorded Future, Snyk, Sprout Social, Insurity, and Tanium. SecurityWeek subsequently reported that BeyondTrust and LastPass were also affected. Salesforce disabled the Klue Battlecards integration across its platform pending investigation. Icarus, a ransomware and extortion group that emerged in April 2026, threatened public release of the stolen data unless Klue paid a ransom.
Stolen data varied by organization and included CRM contacts, price quotes, competitive intelligence reports, sales communications, and internal licensed-user lists. Klue stated it found no evidence of access to production customer data beyond what was connected through the harvested OAuth tokens. Two aspects of this incident are worth examining closely.
What scanners would have missed
The initial access point here was not a software vulnerability. No CVE. No known-vulnerable package. The entry was a service account credential that outlived the integration it was created for, with production write access still intact.
Here is what four standard tooling categories would have returned on that:
- SAST: Scanned Klue's codebase for injection sinks, unsafe deserialization, and path traversal. A service account's retained permissions are not a code pattern. Nothing flagged.
- DAST: Probed Klue's external API for authentication bypass and access-control weaknesses. DAST sees the running application from the outside. It does not model the internal trust relationship that allows a service account to push production code updates.
- SCA: Found no known-vulnerable third-party packages, because there were none in this path.
- CVSS: A stale service account with retained write access lands somewhere in the medium range on base scoring. It requires authenticated access, so attack complexity is non-trivial. CVSS does not compose what that access enables: a code push that harvests OAuth tokens for nine external organizations in a single operation.
Scanners score individual findings. They do not chain those findings into attack paths. That gap is where this incident lived.
What Sekura would have shown
Sekura's Phase 5 (exploit-chain analysis) is where this attack surface becomes concrete.
Phase 2 (recon) would have enumerated Klue's service accounts, their associated permissions, and their last-used timestamps, surfacing the dormant integration account as a candidate finding. Phase 3 (dynamic probing) would have confirmed that the credential remained valid against the authentication endpoint. From those two findings, Phase 5 would have synthesized the full chain:
The exploit-chain agent would have produced a finding showing that the service account's write access to the production deployment pipeline creates a path to customer OAuth tokens, and from there to confidential data in eleven external SaaS environments. The severity of that finding is not derived from the credential itself. It comes from the chain: one stale key, one code push, eleven confirmed victims.
I think this is the distinction that matters. A credential lifecycle audit tells you a service account is stale. Exploit-chain analysis tells you what an attacker can build on top of that staleness.
The bigger pattern
This is a supply chain attack through integration surface area. Klue had no vulnerability in its core product. The failure was in the lifecycle of a single service account that accumulated persistent write access over time and was never cleaned up.
Every SaaS platform that offers customer integrations accumulates this kind of residual access: API keys, OAuth grants, service accounts, webhook credentials. Each decommissioned integration that leaves a credential behind is a potential entry point. The Icarus group did not need a zero-day. It needed one valid key and production write access to Klue's deployment pipeline.
The blast radius is the more significant detail. One vendor, one credential, eleven named organizations, and data spanning CRM contacts, competitive intelligence, pricing, and internal user lists. That multiplier is why integration surface area has become a recurring attack vector in 2026.
If you want to see what this chain looks like against your own integration layer, compare what we surface versus traditional scanners.