Klue OAuth breach victim list grows as Icarus hackers claim attack Data Breach

Market intelligence platform Klue has publicly confirmed a recent security incident that allowed threat actors to steal OAuth tokens used to connect to customers’ Salesforce environments, as the new “Icarus” extortion group publicly claims the attack. The attacker used that access to obtain OAuth tokens used to connect Klue with certain third-party platforms, including Salesforce, and subsequently accessed data within a number of connected customer environments.” The company says there is currently no evidence that customer content stored directly within the Klue platform was impacted and that the incident was limited to third-party integrations.

The Breach

The disclosure comes after cybersecurity firms Huntress and ReliaQuest detailed how attackers abused compromised Klue Battlecards integrations to steal Salesforce CRM data from multiple organizations.

Further details indicate that huntress later disclosed that its own Salesforce environment was affected by the Klue breach and that the stolen data included business contacts, sales communications, pricing information, and other records.

The post comes after BleepingComputer previously reported that the attacks were linked to Icarus, after sources shared extortion emails sent to affected organizations.

ReliaQuest observed attackers generating OAuth tokens and using Python scripts to query Salesforce’s API for extended periods, as data was stolen.

“On June 12, we identified unauthorized activity affecting a portion of Klue’s integration infrastructure. Since then, we’ve been working alongside trusted cybersecurity experts to understand what happened, support our customers, and restore the connections you rely on,”, Spokesperson

Affected Data & Victims

The disclosure comes after cybersecurity firms Huntress and ReliaQuest detailed how attackers abused compromised Klue Battlecards integrations to steal Salesforce CRM data from multiple organizations. Klue says it immediately revoked affected credentials and tokens, removed unauthorized code, disabled impacted integrations, launched an investigation, and notified law enforcement. Huntress later disclosed that its own Salesforce environment was affected by the Klue breach and that the stolen data included business contacts, sales communications, pricing information, and other records.

ReliaQuest and Huntress found that the attackers used stolen OAuth credentials associated with Klue integrations to access customer Salesforce environments and conduct large-scale data theft.

Almost all say the incident led to the theft of data from their Salesforce instances and did not affect their platforms, infrastructure, payment information, or internal systems.

In a statement published this week, Klue CEO Jason Smith confirmed that the company discovered unauthorized activity on June 12 affecting part of Klue’s integration infrastructure.

What Victims Should Do

1. Klue says it immediately revoked affected credentials and tokens, removed unauthorized code, disabled impacted integrations, launched an investigation, and notified law enforcement.

Analysis

As AI tooling proliferates, security teams face expanding attack surfaces tied to model inference and data pipelines.

Affected individuals should monitor their financial and online accounts for suspicious activity and consider enrolling in any offered credit monitoring or identity protection services. Organizations must conduct a thorough post-incident review to identify the root cause and gaps in security controls that allowed the breach to occur. Regulatory notification requirements should be assessed based on jurisdiction and the types of data involved, with legal counsel engaged early in the process. Communications teams should prepare transparent disclosure messaging for customers, partners, and regulators. Beyond the immediate response, organizations should update their data handling policies, encryption standards, and access controls to reduce the likelihood of recurrence. Third-party risk assessments may also be warranted if the breach originated with a vendor or service provider.

Sources

1. https://reliaquest.com/blog/threat-spotlight-integration-abused-in-crm-data-theft