3M Passports Leaked for Hunting Licenses, 5 CRMs Ravaged by Dead Klue Key, Cellebrite Kill Switch Exposed: Global Vendor Trust Implodes

TL;DR

• Icarus Group Weaponizes 2022 Klue OAuth Token: Zero Malware Breaches Huntress, LastPass, Salesforce in 24 Hours. How many forgotten OAuth tokens from 2022 are silently nuking your CRM right now?
• MVD Used Abandoned Cellebrite UFED to Crack iPhone 12 in Russia: Extracted Data Fuels EU Phishing. Is your iPhone guarded by your contract—or by Russia's abandoned forensic toolkit?
• 3 Million Identities Exposed: Texas Vendor Breach Leaks Passports, Driver Licenses. Which state vendor will leak your passport number next?

💀 OAuth Is a Dumpster Fire, and Your CRM Just Lit the Match

A dead 2022 Klue credential ravaged 5 CRMs in 24h—zero malware. Icarus didn't hack your perimeter; they found spare keys under the SaaS mat while execs admired SOC2 posters. 💀 Orphaned OAuth flows are loaded guns. How many zombie integrations are sleeping in YOUR stack? 🔥

Enterprise SaaS integrations rot from the inside out, but nobody smells the stink until the PR team starts gagging. On June 11, 2026, the Icarus extortion group skipped the zero-day fireworks. They simply reactivated a legacy Klue API credential—minted during a 2022 pilot that nobody sunset—and deployed malicious code to harvest OAuth tokens tied to Salesforce, HubSpot, Gong, Slack, and a half-dozen other platforms, granting access to CRM environments at Huntress, LastPass, Recorded Future, Tanium, and Jamf. No malware on your endpoint. No credential dump. Just a forgotten grant keeping a persistent OAuth session on life support while automated API queries sucked out business contacts, pricing, and competitive intel for nearly 24 hours straight. 💀

By June 12, Klue spotted unauthorized back-end access. By June 13, it had alerted customers and disabled remote access across integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. On June 16, extortion emails—including one labeled “Top Secret”—hit Huntress staff, with Icarus demanding a response within 48 hours. Salesforce killed the Klue Battlecards app by June 18, and CEO Jason Smith publicly confirmed the breach on June 19 while the group publicized its haul. On June 24, LastPass traced its own exposure to that same 2022 Klue pilot, confirming unauthorized access to customer PII and CRM records. This exact cross-platform OAuth-abuse vector cratered Drift and Gainsight in 2025. The adversary spent zero dollars, treated a forgotten integration like a self-service buffet, and banked verified impersonation templates for the next sweep. While executives were busy admiring SOC2 posters, the attacker was playing the actual system. 🪦

• Data Harvest: Malicious code harvested OAuth tokens; automated API queries extracted contacts, contracts, pricing, and competitive intel across multiple environments.
• Extortion: A “Top Secret” email reached Huntress on June 16, complete with a 48-hour ultimatum—no hot exploit required, just forgotten tokens and audacity.
• Supply-Chain Fallout: LastPass disclosed on June 24 that tokens from a 2022 pilot exposed customer PII, turning one stale credential into a multi-vendor liability.
• June 11, 2026: Icarus revives a dormant Klue credential; malicious code harvests OAuth tokens.
• June 12–13, 2026: Klue detects intrusion, alerts customers, and disables remote access and SaaS integrations.
• June 16, 2026: “Top Secret” extortion emails hit Huntress staff; Icarus demands a 48-hour response.
• June 17–18, 2026: Salesforce disables the Klue Battlecards app and severs third-party connections.
• June 19, 2026: CEO Jason Smith confirms the breach; Icarus publicizes the attack.
• June 24, 2026: LastPass confirms related exposure from a 2022 pilot, rotates tokens, and notifies authorities.

Rotate your tokens, audit every orphaned OAuth flow, and stop treating third-party integrations like magical black boxes funded by someone else’s budget. Icarus didn’t breach your perimeter; they collected the spare keys Klue left under the SaaS welcome mat in 2022 and made copies for the entire neighborhood. 🔥

🗑️ Abandoned Contracts Don’t Expire in the Kremlin’s Subscription Trash 🗑️

Cellebrite ditched Russia in '21. MVD still cracked an iPhone 12 with UFED—turns out the 'kill switch' was just PR BS 🗑️ Names became COLDRIVER phishing ammo. Vendor expiry date? Never. So whose dead contract actually guards your phone—yours or the Kremlin’s?

On June 25, 2026, Citizen Lab confirmed what enterprise asset management looks like when the vendor pinky-promises to leave and the customer is a federal police unit. Russian authorities pried open Andrey Pivovarov’s iPhone 12 using Cellebrite UFED Physical Analyzer and UFED 4PC—tools that kept humming long after Cellebrite ditched Russia in March 2021 under consumer boycott pressure. So much for contractual kill switches.

The chain of custody reads like a compliance audit from hell. Authorities snatched the phone on May 31, 2021, at St. Petersburg airport. On June 17, MobileLockdown logs show a trusted USB pairing shoved the device into a Cellebrite-hosted box, forcing a connection without owner input. WhatsApp, Telegram, and Viber messages got vacuumed up; searches targeted Open Russia contacts including Mikhail Khodorkovsky, Anastasiya Burakova, and Tatiana Usmanova. That same day, Forensic Expert Report No. 1269-17 formally named the Cellebrite tools used in prosecution. When the MacBook refused to crack, MVD records logged failed decryption attempts; Citizen Lab later matched identical failed-login timestamps, confirming Pivovarov never provided a password. No password, no problem—just keep the legacy kit plugged in.

Those extracted names didn't gather dust. They surfaced in a COLDRIVER phishing campaign aimed at foreign opposition figures, converting one forensic hit into a cascading harassment supply chain. That pattern replicated aggressively across 2026: German authorities warned in February that Russian operatives targeted Signal accounts of EU officials with phishing lures, while Ghostwriter-linked Storm-0257 hit Ukrainian government inboxes in March using Roundcube exploits and Cobalt Strike beacons. Leaked spring documents exposed Russian psychological operations triggering reconnaissance arrests in Poland and Estonia, confirming that forensic extraction feeds transnational repression infrastructure, not just domestic courtrooms.

Impacts read like a broken SLA from hell:

Civilian Rights: Communications recovered without consent enable fabricated indictments; a four-year sentence for leading an “undesirable” organization demonstrates how digital exposure feeds legal theater.

Vendor Accountability: Offline functionality and weak enforcement mechanisms let abandoned contracts rot on the shelf while exploitability auto-renews.

Cross-Border Pattern: Extracted networks pivot directly into state-linked spear-phishing. German intelligence confirmed Russian campaigns against EU officials in February 2026; Ukrainian government targets faced Ghostwriter/Storm-0257 intrusions in March 2026, indicating a repeatable blueprint for transnational repression.

What Happens When Your Kill Switch Is Just a Press Release?

• May–June 2021: Contract cancellation and boycott follow operational freeze; state labs retain hardware and repurpose forced USB pairing through MobileLockdown.
• February 2026: German authorities confirm Russian Signal-phishing against EU politicians, signaling sustained targeting of foreign opposition.
• March 2026: Ghostwriter-linked Storm-0257 spear-phishes Ukrainian government entities.
• Spring 2026: Leaked documents expose coordinated Russian psychological operations and reconnaissance arrests across Poland, Estonia, and Germany, confirming extracted data fuels hybrid warfare.

🎯 The Whitetail Vendor Breach: Over 3 Million Texans Learn the Hard Way 🎯

3M Texans bought hunting licenses. TPWD handed over passports and driver’s licenses instead 🎯 One vendor breach—bang, your identity’s on clearance. They caught it same day but kept the damn printers running through August. Cool trade. Texas hunters—which state leaks YOUR government ID next?

You wanted permission to bag a buck. Your government handed your passport number to a total stranger. Cool trade.

On June 19, 2026, the Texas Parks and Wildlife Department disclosed that an unauthorized actor compromised the third-party vendor powering its hunting and fishing license platform. Names, driver’s license numbers, passport numbers, emails, phone numbers, and home addresses from over 3 million applicants exited state custody. Social Security numbers, birth dates, bank accounts, and minors under 18 never entered the haul.

How Convenience Kills Perimeter 🔓

Attackers hit the licensed retailer interface wired into TPWD’s network. Texas Cyber Command detected the unauthorized access on June 19, triggering same-day disclosure. That speed doesn’t un-pull the trigger; once the data escapes, it enables identity verification scams downstream. The architecture treats convenience as king and compartmentalization as optional, with no single group isolated. One hunting license becomes a fully loaded identity fraud starter pack.

Damage Report, Straight Up

• Identity Exposure: Over 3 million names, government IDs, and contact records now circulate outside state custody, directly widening the impersonation attack surface.
• Fraud Pipeline: Exposed PII sharpens vulnerability to social engineering, amplifying identity theft risk as consumer fear of fraud corrodes trust in public services.
• Governance Fracture: Regulatory scrutiny intensifies over state vendor oversight, injecting friction into digital transactions and exposing gaps in digital infrastructure protection.

Response Timeline

• June 19, 2026: Texas Cyber Command detects unauthorized vendor access; TPWD discloses the breach and responders contain the active flow. Verified exclusions: SSNs, DOBs, financial details, minors.
• Through August 2026: License sales proceed normally, because why pause commerce for a little data hemorrhage?
• Through September 14, 2026: Victims receive free credit monitoring via Kroll while TPWD deploys enhanced access controls, strong-password advisories, and two-factor authentication guidance.

Here is the punchline. When a parks department optimizes for retail reach instead of perimeter discipline, the public pays the invoice. The hunting licenses keep printing through August. The data, however, is already on clearance.