Klue OAuth breach tied to Icarus Salesforce data theft campaign

▼ Summary
– Klue suffered an OAuth breach that allowed the “Icarus” threat actor to steal Salesforce CRM data from multiple organizations in an ongoing extortion campaign.
– Attackers compromised Klue’s backend systems, pushed a malicious code update, and used stolen OAuth tokens to query Salesforce’s REST API for data theft.
– Salesforce disabled the Klue Battlecards integration on its platform while the breach is investigated, preventing further connections via the app.
– Icarus, a relatively new extortion group that launched in April 2026, sent extortion demands to impacted Klue customers using the alias “mr bean.”
– Stolen data includes CRM information such as business contacts, sales communications, price quotes, and account data, but no passwords, payment data, or engineering systems were compromised.
Market intelligence provider Klue has fallen victim to an OAuth security breach that allowed the threat group known as “Icarus” to steal Salesforce CRM data from multiple organizations as part of an ongoing extortion campaign. The attack, which came to light yesterday through sources speaking with BleepingComputer, has already prompted extortion demands against several impacted companies.
Cybersecurity firms ReliaQuest and Huntress have both published detailed reports confirming the incident, with Huntress revealing that its own Salesforce data was compromised in the breach. In response, Salesforce has disabled the Klue Battlecards integration on its platform while the investigation continues. “To protect our customers, Salesforce has disabled the connection between the Klue Battlecards app, installed by individual customers, and Salesforce as part of our response to a recent security incident,” the company warned yesterday. “As a result, organizations will not be able to connect to Salesforce via this app until further notice.”
The attack unfolded when adversaries gained access to Klue Battlecards integration service accounts and used OAuth tokens associated with customer Salesforce instances to exfiltrate data. ReliaQuest observed the threat actors generating OAuth tokens and deploying automated Python scripts to query Salesforce’s REST API for nearly 24 hours. The operation began with reconnaissance, targeting the ‘/services/data/v59.0/sobjects’ endpoint to map out Salesforce objects before pivoting to data theft via ‘/services/data/v59.0/query’.
According to ReliaQuest, in one environment the attackers methodically mapped out Salesforce objects to identify valuable targets, then rapidly extracted data once they knew what they wanted. “The attacker then hit the same endpoint, sending almost a thousand queries in a 15-minute window in at least one environment,” the firm explained. “Where the first stage was a slow, steady pull designed to blend in, this burst traded stealth for speed, suggesting either time pressure or a shift to targeted records. In another case, the exfiltration was observed over 6 hours.”
While the activity closely mirrored previous third-party integration data theft attacks by the ShinyHunters extortion group, researchers could not definitively attribute the incident to that actor. BleepingComputer later learned that ShinyHunters was not responsible. Instead, a relatively new threat actor called “Icarus” had already begun sending extortion emails to Klue customers impacted by the breach.
A ransom note shared with BleepingComputer revealed that the emails were sent under the alias “mr bean” and included a Session Messenger ID for contact. The Icarus data leak site also posted a message hinting at the campaign with a simple post titled “Get Ready,” stating, “big corps getting listed. be ready.”
Icarus is believed to have launched in April 2026, initially listing two victims on its leak site. BleepingComputer learned that at least one of those victims is connected to the Klue campaign. That company has since been removed from the site, suggesting negotiations may be underway.
Today, Huntress disclosed that it was among the organizations affected, confirming receipt of a similar extortion email. However, the Session ID used in later emails differed from the initial contact and matched the one listed on the Icarus data leak site, providing further evidence of their involvement. “In the initial email, the adversary suggests, ‘we advice you to write to us on Session,'” reported Huntress. “The Session Messenger ID that they provided matched the same values included on the dark web leak site of a new extortion group dubbed ‘Icarus.'”
According to Huntress, Klue informed customers that attackers first compromised the company’s backend systems and then pushed a malicious code update that stole OAuth tokens used for integrating the Battlecards product with third-party platforms. The attackers reportedly exploited a dormant but still active credential created by Klue for a prototype integration. Once inside Klue’s environment, they stole customer OAuth tokens and used them to directly query connected Salesforce environments.
Klue later disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while responding to the incident. Huntress said the stolen data includes CRM-related information, such as business contacts, sales communications, price quotes, competitive intelligence reports, and account data. However, the cybersecurity company found no evidence that threat intelligence, customer telemetry, passwords, payment card information, or engineering systems were compromised.
Both ReliaQuest and Huntress have shared IP addresses linked to the attacks: 138.226.246.94, 212.86.125.24, 213.111.148.90, and 94.154.32.160. Organizations using Klue integrations are advised to review Salesforce and related SaaS logs for activity originating from these addresses, revoke and rotate OAuth tokens, terminate active sessions, and scrutinize Salesforce logs for unusual API activity.
(Source: BleepingComputer)




