Klue OAuth breach linked to 'Icarus' Salesforce data theft attacks
Market intelligence platform Klue suffered an OAuth breach exploited by the 'Icarus' threat actors to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign.
Market intelligence platform Klue suffered an OAuth breach that enabled the 'Icarus' threat actors to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign.
Sources told BleepingComputer of the attack yesterday, telling us that numerous organizations had their Salesforce data stolen and were now being extorted by the relatively new extortion group. Cybersecurity firms ReliaQuest and Huntress have both published reports confirming the security incident, with Huntress stating that their Salesforce data was stolen in the attack.
Salesforce has since disabled the Klue Battlecards integration on its platform while the breach is investigated. 'To protect our customers, Salesforce has disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce as part of our response to a recent security incident,' Salesforce warned yesterday. 'As a result, organizations will not be able to connect to Salesforce via this app until further notice.'
ReliaQuest stated that attackers gained access to Klue Battlecards integration service accounts and used OAuth tokens associated with customer Salesforce instances to carry out data theft. The researchers observed the threat actors generating OAuth tokens and then using automated Python scripts to query Salesforce's REST API for nearly 24 hours. The activity began with reconnaissance of an organization's Salesforce instances through the '/services/data/v59.0/sobjects' endpoint before exfiltrating data using the '/services/data/v59.0/query'.
ReliaQuest said that for one of the organizations, the attackers slowly mapped out their Salesforce objects to identify valuable objects and then rapidly stole data once they knew what they wanted. 'The attacker then hit the same endpoint, sending almost a thousand queries in a 15-minute window in at least one environment,' explained ReliaQuest. 'Where the first stage was a slow, steady pull designed to blend in, this burst traded stealth for speed, suggesting either time pressure or a shift to targeted records. In another case, the exfiltration was observed over 6 hours.'
The researchers said the activity closely resembled previous Salesforce third-party integration data theft attacks by the ShinyHunters extortion group, but were unable to attribute the attacks to the threat actor. However, BleepingComputer learned yesterday that ShinyHunters was not behind this attack, but rather a relatively new threat actor known as 'Icarus' who had already begun emailing extortion demands to Klue customers impacted by the breach. A ransom note shared with BleepingComputer showed that the emails were sent using the alias 'mr bean' and included a Session Messenger ID to contact them.
Today, Huntress disclosed that it was among the organizations impacted by the Klue breach, confirming that they had received a similar extortion email as seen by BleepingComputer. However, the Session ID used in later emails was different and was instead the one listed on the Icarus data leak site, providing additional evidence that they were behind the attack. According to Huntress, Klue told customers that attackers first compromised the company's backend systems and then pushed a malicious code update that stole OAuth tokens customers use to integrate the Battlecards product with third-party platforms. The attackers reportedly used a dormant but still active credential created by Klue for a prototype integration. After gaining access to Klue's environment, they stole customer OAuth tokens and used them to query connected Salesforce environments directly.
Organizations using Klue integrations are advised to review Salesforce and related SaaS logs for activity originating from the IP addresses linked to the attacks: 138.226.246.94, 212.86.125.24, 213.111.148.90, and 94.154.32.160. They should also revoke and rotate OAuth tokens, terminate active sessions, and review Salesforce logs for unusual API activity. The incident highlights the risks of third-party OAuth integrations and supply-chain attacks, as a single compromised integration can cascade into data theft across multiple customer environments.
New reporting from Huntress, a Klue customer that lost CRM data in the incident, reveals the attack began on June 11 when adversaries pushed a code update to collect OAuth tokens, with Klue detecting unusual activity the next day. Huntress employees received ransom threats on Tuesday, June 17, demanding negotiations within 48 hours or stolen data would be leaked. The stolen data includes business contacts, price quotes, and sales-related messages, but Huntress confirmed no threat data, passwords, or payment card information was exfiltrated. ReliaQuest's analysis shows the attackers used compromised Klue integration service accounts to generate OAuth tokens and ran automated Python scripts for nearly 24 hours to siphon Salesforce data via REST API queries.
ReliaQuest researchers have now published a detailed technical breakdown of the attack, revealing a two-phase exfiltration pattern: a slow extraction phase using sustained looped REST API queries over nearly 24 hours, followed by a burst phase in at least one environment where nearly 1,000 queries were sent within a 15-minute window. The attackers used compromised Klue integration service account credentials to generate OAuth tokens and deployed automated Python scripts identifiable by Python-urllib user-agent strings. Salesforce has officially disabled the Klue Battlecards app's connection to its platform, and ReliaQuest assesses it is highly likely that threat actors will continue targeting Salesforce-connected third-party integrations through the remainder of 2026.
The ongoing Icarus campaign has now expanded to include the compromise of Klue's Battlecards app, marking the third third-party Salesforce-integrated application breached in this series of attacks. Dark Reading reports that Huntress, a cybersecurity vendor, is among the latest victims, with attackers leveraging the app's legitimate OAuth permissions to exfiltrate sensitive customer records from Salesforce tenants. This escalation underscores the persistent threat posed by supply-chain attacks targeting trusted ecosystem integrations, as threat actors continue to exploit the same OAuth-based access vector used in prior incidents.