The cybersecurity industry just got a taste of its own medicine — and it’s not sitting well.
On June 12, a cybercrime group called Icarus breached Vancouver-based market intelligence company Klue. By the time the dust settled, data from at least ten major cybersecurity firms — Huntress, HackerOne, Jamf, Recorded Future, Tanium, Snyk, OneTrust, and others — had been stolen from their Salesforce databases. The attackers got in through a single compromised legacy credential: a password or token tied to an integration tool that let customers sync their cloud data with Klue.
Let that sink in. Companies whose entire business is protecting other companies from getting hacked… got hacked. Through a vendor they trusted.
The Anatomy of a Supply Chain Attack Nobody Saw Coming
Klue isn’t a household name. It’s a market intelligence platform — the kind of tool enterprise sales teams use to track competitors, monitor market signals, and manage battle cards. Think of it as a CRM-adjacent tool that sits quietly in the background, connecting to your Salesforce instance to pull customer data for competitive analysis.
That quiet connection was exactly the problem.
The attackers didn’t need to breach ten separate companies. They breached one — Klue — and the integration keys gave them a straight shot into Salesforce databases containing business contact information: names, email addresses, phone numbers, job titles. For companies in the cybersecurity space, that’s not just PII. It’s a map of who works where, what they do, and how to reach them.
Icarus didn’t waste time. The group posted on its leak site, threatening to publish the stolen data within days unless Klue paid a ransom. CrowdStrike was called in for incident response. Klue’s response? A brief blog post — marked with noindex to keep it out of search results.
This Isn’t a One-Off. It’s a Pattern.
Here’s what makes this story more than just another breach headline: it fits a pattern that’s been accelerating for the past two years. Middleware providers — the companies that sit between your core systems and third-party tools — have become the new attack surface.
Snowflake. TanStack. Gainsight. Salesloft. All of them saw breaches where compromising one platform opened doors to dozens or hundreds of customers. The Klue incident is the latest entry in what security researchers are calling a “slew of broad-scale hacks” targeting these intermediaries.
The logic is simple from an attacker’s perspective. Why spend months trying to penetrate a well-defended cybersecurity firm’s network when you can go after the vendor they all use to sync their data? One compromised token. One integration key. Ten customers exposed.
It’s the same calculus that makes Oracle’s PeopleSoft zero-day so dangerous — a single vulnerability in widely-deployed enterprise software puts thousands of organizations at risk simultaneously. The difference here is that the “vulnerability” isn’t a software bug. It’s a stale credential that nobody bothered to revoke.
The Laying-Off-to-AI Pipeline
There’s a detail in the TechCrunch report that deserves more attention than it’s getting. Last June — about a year before this breach — Klue laid off roughly half its staff, around 100 people, as it “doubled down on its AI investments.” The article notes it’s unclear whether the reduction in staff led to security lapses, but the timeline is hard to ignore.
When you cut half your team and redirect resources toward AI, things get missed. Credentials go stale. Integration audits get deprioritized. The person who would have noticed that a legacy token was still active and overly permissive? They’re probably updating their LinkedIn profile.
This isn’t an AI-hating take — I’ve written about the economics of AI tools and where the value actually is. But there’s a real cost to the “cut staff, invest in AI” playbook, and Klue’s customers are now paying it.
No Cybersecurity Leadership. No Comment.
Two more facts that should raise eyebrows:
First, Klue’s executive leadership page doesn’t list anyone responsible for cybersecurity. For a company that handles sensitive competitive intelligence and customer data from security firms, that’s a remarkable gap.
Second, CEO Jason Smith didn’t respond to TechCrunch’s request for comment. When a company that serves the cybersecurity industry gets breached and goes silent, it sends a message — and not a good one.
Compare that to how companies like Huntress handled the fallout. Huntress confirmed they were affected and noted that Icarus contacted them with a ransom note sent from a compromised Australian company’s email server. That kind of transparency is what you’d expect from a security company. Klue’s response — a blog post hidden from search engines — is what you’d expect from a company hoping this blows over.
The Trust Problem Nobody Wants to Talk About
This is the part that goes beyond Klue. When cybersecurity firms get breached through their vendors, it creates a trust cascade that affects the entire industry.
If you’re a CISO evaluating security vendors, and you just read that HackerOne’s data was stolen through a market intelligence tool, what does that do to your confidence? If Recorded Future — a company that literally sells threat intelligence — couldn’t prevent its customer data from leaking through a third party, how do you sell your own security posture to clients?
I’ve explored this trust dynamic before when writing about why Americans don’t trust AI. Trust in technology isn’t binary. It’s layered. You trust your security vendor. Your security vendor trusts their integrations. Their integrations trust a market intelligence platform. And somewhere in that chain, a legacy token sits unrevoked for months.
The digital trust conversation we’ve been having about AI chatbots applies here too. We hand over data to platforms we assume are secure, based on brand reputation and compliance badges. But security is only as strong as the weakest integration in the chain.
What Should You Actually Do?
If you’re running a company — any company — the Klue breach is a wake-up call to audit a few things:
Review your integration tokens. Every third-party integration that connects to your CRM, cloud storage, or communication tools is a potential entry point. Stale tokens with broad permissions are a gift to attackers.
Vendor security assessments aren’t optional. “They have SOC 2” isn’t enough. Ask about their incident response history, their executive security oversight, and what happens to your data if they get breached.
Data minimization still matters. The less data you share with third-party tools, the less exposure you have when those tools fail. If Klue doesn’t need your full Salesforce contact list to deliver competitive intelligence, don’t give it to them.
Assume breach, plan accordingly. The companies affected here are now dealing with exposure of business contacts across the cybersecurity industry. Having an incident response plan that accounts for vendor breaches — not just direct ones — is no longer a nice-to-have.
The Klue breach isn’t just a story about one company’s failure. It’s a mirror held up to an industry that sells trust for a living — and just found out its own supply chain wasn’t up to the standards it recommends to everyone else.