Klue OAuth Breach Exposes Salesforce Data in Icarus Extortion Campaign
A recent OAuth breach at market intelligence platform Klue has enabled the Icarus threat group to steal Salesforce CRM data from multiple organizations as part of an ongoing extortion campaign. The attack, first reported by BleepingComputer and confirmed by cybersecurity firms ReliaQuest and Huntress, has prompted Salesforce to disable the Klue Battlecards integration while investigations continue.
How the Attack Unfolded
Attackers compromised Klue’s backend systems, leveraging a dormant but active credential from a prototype integration. Once inside, they deployed a malicious code update to harvest OAuth tokens used by customers to connect Klue Battlecards with third-party platforms, including Salesforce.
Using these stolen tokens, the threat actors executed automated Python scripts to query Salesforce’s REST API for nearly 24 hours. Initial reconnaissance targeted the /services/data/v59.0/sobjects endpoint, followed by rapid data exfiltration via /services/data/v59.0/query. In one case, attackers sent nearly 1,000 queries in 15 minutes, shifting from stealthy reconnaissance to high-speed theft.
Extortion Demands & Icarus Involvement
While initial activity resembled past attacks by ShinyHunters, BleepingComputer confirmed that the Icarus group active since April 2026 is behind the campaign. Victims received extortion emails from an alias "mr bean" with a Session Messenger ID for contact. Icarus’s data leak site also teased the campaign with a post titled "Get Ready," warning of upcoming corporate listings.
Huntress, one of the affected organizations, confirmed receiving a similar extortion email, with the provided Session ID matching Icarus’s dark web leak site. The stolen data includes business contacts, sales communications, price quotes, competitive intelligence reports, and account details, though no evidence suggests compromise of passwords, payment data, or engineering systems.
Response & Mitigation
Klue has disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while addressing the breach. Salesforce has also suspended the Klue Battlecards app, preventing new connections until further notice.
Security firms have shared IP addresses linked to the attacks:
- 138.226.246.94
- 212.86.125.24
- 213.111.148.90
- 94.154.32.160
Organizations using Klue integrations are urged to review logs, revoke OAuth tokens, terminate active sessions, and monitor for unusual API activity.
Huntress TPRM report: https://www.rankiteo.com/company/huntress-labs
Salesforce TPRM report: https://www.rankiteo.com/company/salesforce
Klue TPRM report: https://www.rankiteo.com/company/klue
"id": "hunsalklu1781793603",
"linkid": "huntress-labs, salesforce, klue",
"type": "Cyber Attack",
"date": "6/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'customers_affected': 'Multiple organizations',
'industry': 'Technology, SaaS',
'name': 'Klue',
'type': 'Market Intelligence Platform'},
{'industry': 'Cybersecurity',
'name': 'Huntress',
'type': 'Cybersecurity Firm'}],
'attack_vector': 'Compromised OAuth tokens, Malicious code update',
'customer_advisories': 'Organizations using Klue integrations urged to review '
'logs, revoke OAuth tokens, terminate active sessions, '
'and monitor for unusual API activity',
'data_breach': {'data_exfiltration': 'Yes, via Salesforce REST API queries',
'personally_identifiable_information': 'Business contacts (no '
'evidence of PII like '
'passwords or payment '
'data)',
'sensitivity_of_data': 'High (competitive intelligence, sales '
'data)',
'type_of_data_compromised': 'Business contacts, sales '
'communications, price quotes, '
'competitive intelligence '
'reports, account details'},
'description': 'A recent OAuth breach at market intelligence platform Klue '
'enabled the Icarus threat group to steal Salesforce CRM data '
'from multiple organizations as part of an ongoing extortion '
'campaign. Attackers compromised Klue’s backend systems, '
'leveraging a dormant credential to deploy a malicious code '
'update that harvested OAuth tokens. These tokens were used to '
'execute automated Python scripts to query and exfiltrate '
'Salesforce data via REST API. Extortion demands were sent by '
'the Icarus group, with stolen data including business '
'contacts, sales communications, and competitive intelligence '
'reports.',
'impact': {'data_compromised': 'Business contacts, sales communications, '
'price quotes, competitive intelligence '
'reports, account details',
'operational_impact': 'Klue disabled integrations with Salesforce, '
'HubSpot, SharePoint, Zoom, Gong, Chorus, '
'Clari, Google Drive, and Slack; Salesforce '
'suspended the Klue Battlecards app',
'payment_information_risk': 'No evidence of compromise',
'systems_affected': 'Salesforce CRM, Klue Battlecards integration'},
'initial_access_broker': {'entry_point': 'Compromised Klue backend systems '
'via dormant credential',
'high_value_targets': 'Salesforce CRM data',
'reconnaissance_period': 'Initial reconnaissance '
'targeted '
'`/services/data/v59.0/sobjects` '
'endpoint'},
'investigation_status': 'Ongoing',
'motivation': 'Extortion, Data Theft',
'post_incident_analysis': {'corrective_actions': 'Disable unused '
'integrations, revoke OAuth '
'tokens, enhance monitoring '
'of API activity',
'root_causes': 'Dormant but active credential from '
'a prototype integration, lack of '
'monitoring for unusual API '
'activity'},
'ransomware': {'data_exfiltration': 'Yes'},
'recommendations': 'Review logs, revoke OAuth tokens, terminate active '
'sessions, monitor for unusual API activity, disable '
'unused integrations',
'references': [{'source': 'BleepingComputer'},
{'source': 'ReliaQuest'},
{'source': 'Huntress'}],
'response': {'containment_measures': 'Disabled integrations with Salesforce, '
'HubSpot, SharePoint, Zoom, Gong, '
'Chorus, Clari, Google Drive, and Slack; '
'revoked OAuth tokens',
'enhanced_monitoring': 'Monitor for unusual API activity',
'remediation_measures': 'Salesforce suspended the Klue '
'Battlecards app; organizations urged to '
'review logs, revoke OAuth tokens, and '
'terminate active sessions',
'third_party_assistance': 'ReliaQuest, Huntress'},
'threat_actor': 'Icarus',
'title': 'Klue OAuth Breach Exposes Salesforce Data in Icarus Extortion '
'Campaign',
'type': 'Data Breach, Extortion',
'vulnerability_exploited': 'Dormant but active credential from a prototype '
'integration'}