Klue OAuth Breach Exposes Salesforce Data in Icarus Extortion Campaign A recent OAuth breach at market intelligence platform Klue has enabled the Icarus threat group to steal Salesforce CRM data from multiple organizations as part of an ongoing extortion campaign. The attack, first reported by BleepingComputer and confirmed by cybersecurity firms ReliaQuest and Huntress, has prompted Salesforce to disable the Klue Battlecards integration while investigations continue. ### How the Attack Unfolded Attackers compromised Klue’s backend systems, leveraging a dormant but active credential from a prototype integration. Once inside, they deployed a malicious code update to harvest OAuth tokens used by customers to connect Klue Battlecards with third-party platforms, including Salesforce. Using these stolen tokens, the threat actors executed automated Python scripts to query Salesforce’s REST API for nearly 24 hours. Initial reconnaissance targeted the `/services/data/v59.0/sobjects` endpoint, followed by rapid data exfiltration via `/services/data/v59.0/query`. In one case, attackers sent nearly 1,000 queries in 15 minutes, shifting from stealthy reconnaissance to high-speed theft. ### Extortion Demands & Icarus Involvement While initial activity resembled past attacks by ShinyHunters, BleepingComputer confirmed that the Icarus group active since April 2026 is behind the campaign. Victims received extortion emails from an alias "mr bean" with a Session Messenger ID for contact. Icarus’s data leak site also teased the campaign with a post titled "Get Ready," warning of upcoming corporate listings. Huntress, one of the affected organizations, confirmed receiving a similar extortion email, with the provided Session ID matching Icarus’s dark web leak site. The stolen data includes business contacts, sales communications, price quotes, competitive intelligence reports, and account details, though no evidence suggests compromise of passwords, payment data, or engineering systems. ### Response & Mitigation Klue has disabled integrations with Salesforce, HubSpot, SharePoint, Zoom, Gong, Chorus, Clari, Google Drive, and Slack while addressing the breach. Salesforce has also suspended the Klue Battlecards app, preventing new connections until further notice. Security firms have shared IP addresses linked to the attacks: - 138.226.246.94 - 212.86.125.24 - 213.111.148.90 - 94.154.32.160 Organizations using Klue integrations are urged to review logs, revoke OAuth tokens, terminate active sessions, and monitor for unusual API activity.