A Sales Tool Breached the Security Industry
On June 22, 2026, TechCrunch reported that a breach of Klue — a competitive intelligence platform used by sales teams — cascaded into data exposure at some of the most prominent cybersecurity companies in the world. HackerOne. Snyk. Huntress. Recorded Future. BeyondTrust. LastPass. Jamf. OneTrust. Tanium. The companies that sell security to everyone else were compromised through a sales enablement tool.
The attack was straightforward. Attackers used a legacy credential to access Klue's integration infrastructure. They pushed a malicious code update that harvested OAuth tokens connecting Klue to its customers' Salesforce instances. Then they executed approximately 1,000 API queries in 15 minutes during peak exfiltration. Salesforce has since disabled the Klue Battlecards integration entirely. An extortion group called Icarus issued 48-hour ransom demands to affected employees.
The OAuth Trust Chain Problem
Modern web infrastructure is built on OAuth integrations. Every SaaS tool in an organization's stack — CRM, analytics, email, project management, competitive intelligence — connects via OAuth tokens that grant API access to underlying data. Each integration creates a trust relationship: the organization trusts the SaaS vendor, the vendor trusts its infrastructure, and the OAuth token bridges them. If any link in that chain is compromised, the token grants access to the organization's data regardless of the organization's own security posture.
Klue is not a security tool. It is a competitive intelligence platform that helps sales teams understand their competitors. Its access to Salesforce data — customer records, deal information, revenue data — exists because sales teams authorized it. The security teams at HackerOne and Snyk did not choose Klue. Their sales teams did. The OAuth token that bridged the gap was granted through a workflow that likely never crossed a security review.
The Legacy Credential Pattern
The initial access vector was a legacy credential. Not a zero-day. Not a sophisticated exploit. A credential that should have been rotated, deprovisioned, or protected by MFA — and was not. This is the same pattern WebPulse documents in the FortiBleed campaign (35% default admin credentials) and across the WordPress ecosystem (admin panels with default passwords). The most common entry point for catastrophic breaches is not technical sophistication. It is credential hygiene.
For CISOs: your security posture is not just your own infrastructure. It is every SaaS vendor with OAuth access to your systems, every legacy credential in every integration, and every sales team decision to connect a new tool to Salesforce. Klue's breach affected the cybersecurity industry's own data. If HackerOne, Snyk, and Recorded Future can be compromised through a sales tool, the question for every other organization is not whether they are vulnerable to the same pattern. It is how many OAuth tokens they have granted to tools they have never audited.
