Klue OAuth breach lets Icarus hackers steal Salesforce data

Key Takeaways

• Attackers compromised Klue's backend and pushed malicious code that stole OAuth tokens from customers
• The Icarus extortion group used stolen tokens to query Salesforce APIs and exfiltrate CRM data
• Salesforce has disabled the Klue Battlecards integration; Klue has also cut connections to HubSpot, SharePoint, and other platforms

A breach at market intelligence platform Klue has exposed Salesforce CRM data at multiple organizations, with a new extortion group called Icarus now demanding ransom payments from affected companies. The attackers compromised Klue's backend systems, pushed a malicious code update, and harvested OAuth tokens that customers use to connect Klue's Battlecards product with Salesforce.

Salesforce has responded by disabling the Klue Battlecards integration entirely. "To protect our customers, Salesforce has disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce as part of our response to a recent security incident," the company stated on June 17. Organizations cannot reconnect until Salesforce completes its investigation.

How did attackers steal Salesforce data through Klue?

According to ReliaQuest, the attackers gained access to Klue Battlecards integration service accounts and then used OAuth tokens associated with customer Salesforce instances to exfiltrate data. The researchers observed threat actors generating OAuth tokens and running automated Python scripts against Salesforce's REST API for nearly 24 hours.

The attack followed a two-phase pattern. First, reconnaissance: the attackers slowly queried Salesforce's '/services/data/v59.0/sobjects' endpoint to map out an organization's data structure and identify valuable objects. Then came rapid extraction through the '/services/data/v59.0/query' endpoint.

"The attacker then hit the same endpoint, sending almost a thousand queries in a 15-minute window in at least one environment," ReliaQuest explained. "Where the first stage was a slow, steady pull designed to blend in, this burst traded stealth for speed, suggesting either time pressure or a shift to targeted records."

Huntress, which disclosed that it was among the affected organizations, provided additional detail. Klue told customers that attackers used a dormant but still active credential created for a prototype integration to gain initial access. Once inside Klue's environment, they stole customer OAuth tokens and used them to query connected Salesforce instances directly.

Who is Icarus, and what are they demanding?

Icarus appears to have launched in April 2026. The group's tactics initially resembled those of ShinyHunters, another extortion operation known for targeting third-party integrations, but BleepingComputer confirmed that ShinyHunters was not behind this campaign.

Icarus has already begun emailing extortion demands to affected Klue customers. The ransom notes, sent using the alias "mr bean," include a Session Messenger ID for victims to contact the attackers. Huntress confirmed receiving a similar extortion email, and the Session ID matched the one listed on the Icarus data leak site.

The group's leak site currently displays a message titled "Get Ready," stating: "big corps getting listed. be ready." At least one victim previously listed on the site has been removed, which typically indicates negotiations are in progress.

Which integrations has Klue disabled?

Klue has cut connections to multiple platforms while responding to the incident. Beyond Salesforce, the company has disabled integrations with HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack. The breadth of the shutdown suggests Klue is treating this as a compromise of its entire integration infrastructure, not just the Salesforce connection.

For organizations that relied on Klue Battlecards for competitive intelligence, this creates an immediate operational gap. Sales teams using the integration to surface competitor data during deals will need to find manual workarounds until Klue restores connectivity.

Third-party OAuth integrations remain a blind spot

This attack highlights a persistent problem: organizations often grant OAuth access to third-party tools without visibility into how those vendors secure their own systems. When a vendor like Klue gets compromised, every customer's connected data becomes accessible.

The attack pattern, slow reconnaissance followed by rapid exfiltration, also shows how difficult these breaches are to detect. The initial queries blend into normal API traffic. By the time the burst phase begins, the attackers already know exactly what they want.

Frequently Asked Questions

What is the Klue OAuth breach?

Attackers compromised Klue's backend systems and pushed a malicious code update that stole OAuth tokens. These tokens allowed the attackers to access customers' connected Salesforce instances and exfiltrate CRM data.

Who is behind the Klue Salesforce data theft?

A new extortion group called Icarus, which launched in April 2026. The group is now sending ransom demands to affected organizations and threatens to leak stolen data.

Has Salesforce been directly breached?

No. Salesforce itself was not breached. The attackers used stolen OAuth tokens from Klue to access customer Salesforce instances through legitimate API connections.

What should Klue customers do now?

Review Salesforce access logs for unusual API queries, particularly to the '/services/data/v59.0/sobjects' and '/services/data/v59.0/query' endpoints. Revoke any OAuth tokens associated with Klue integrations and monitor for extortion communications.

Which other platforms were affected by the Klue breach?

Klue has disabled integrations with HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while investigating, though confirmed data theft has only been reported from Salesforce instances.

Source: BleepingComputer